top of page
perceptive_background_267k.jpg

Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks

Published:

2 April 2026 at 08:25:50

Alert date:

2 April 2026 at 09:01:29

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Zero-Day Vulnerabilities, Identity & Access

Internet security watchdog Shadowserver has discovered over 14,000 F5 BIG-IP Application Policy Manager (APM) instances exposed online that are vulnerable to ongoing attacks exploiting a critical-severity remote code execution vulnerability. The large number of exposed instances indicates widespread potential for compromise, with active exploitation campaigns already underway. Organizations using F5 BIG-IP APM systems need to immediately apply security patches to prevent unauthorized remote code execution attacks.

Technical details

CVE-2025-53521 is a critical-severity remote code execution vulnerability in F5 BIG-IP APM (Access Policy Manager) that was originally disclosed as a denial-of-service vulnerability but later reclassified as RCE. Attackers without privileges can exploit this vulnerability to gain remote code execution on unpatched BIG-IP APM systems with access policies configured on a virtual server. Over 14,000 BIG-IP APM instances remain exposed to attacks according to Shadowserver data.

Mitigation steps:

Apply patches for CVE-2025-53521, check disks, logs, and terminal history of BIG-IP devices for signs of malicious activity, rebuild affected systems from scratch if compromise is detected, rebuild configuration from a known good source as UCS files from compromised systems can contain persistent malware, federal agencies were ordered to secure their BIG-IP APM systems by CISA deadline

Affected products:

F5 BIG-IP APM (Access Policy Manager)
BIG-IP systems with access policies configured on virtual servers

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-53521
https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=other_range&d1=2026-03-31&d2=2026-04-01&vendor=f5&type=security-management&model=big-ip+apm&dataset=count&limit=100&group_by=geo&stacking=stacked&auto_update=on
https://www.cisa.gov/news-events/alerts/2026/03/27/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-53521
https://my.f5.com/manage/s/article/K000160486

Related CVE's:

Related threat actors:

IOC's:

F5 has published indicators of compromise (IOCs) and advised checking disks, logs, and terminal history of BIG-IP devices for signs of malicious activity

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page