Severity rationale: Pre-authentication remote code execution as root; CVSS 9.8; confirmed in-the-wild exploitation; KEV-listed.
F5 BIG-IP APM CVE-2025-53521: Actively Exploited, Patch Immediately
F5 · BIG-IP Access Policy Manager (APM) — CVE-2025-53521
F5 has confirmed in-the-wild exploitation of CVE-2025-53521, an unauthenticated remote-code-execution flaw in BIG-IP APM. CISA added the CVE to the KEV catalog. Apply the F5 hotfix immediately, restrict management interfaces, and assume any APM that was internet-facing during the exploitation window may have been compromised.
Key Facts
- Vendor
- F5
- Product
- BIG-IP Access Policy Manager (APM)
- CVE
- CVE-2025-53521
- CVSS
- 9.8
- Exploitation
- Exploited in the wild
- CISA KEV
- Yes
- Affected versions
- 16.1.0–16.1.4, 17.1.0–17.1.1
- Fixed versions
- 16.1.5, 17.1.2
Summary
F5 disclosed CVE-2025-53521, an unauthenticated remote code execution vulnerability in the BIG-IP Access Policy Manager (APM) virtual server, with CVSS 9.8. Exploitation in the wild has been confirmed by both F5 and CISA, which added the CVE to the Known Exploited Vulnerabilities (KEV) catalog.
What happened
A flaw in the APM virtual server allows an unauthenticated attacker who can reach the management or data-plane interface to execute arbitrary commands as root. F5 issued an emergency hotfix and a permanent fix in 17.1.2 and 16.1.5. CISA observed exploitation against U.S. federal targets within 48 hours of disclosure.
Why it matters
BIG-IP APM commonly fronts SSO and VPN portals, so successful exploitation can pivot directly into identity infrastructure and internal networks.
Affected systems
BIG-IP APM 16.1.0–16.1.4 and 17.1.0–17.1.1 with the APM virtual server enabled and reachable on TCP/443.
Recommended actions
Apply the F5 hotfix today; restrict management interfaces to a jump host; review HTTP request logs and the APM access log for unexpected POSTs to /mgmt/tm/util/bash or new files under /var/tmp/; rotate all credentials terminated by the appliance.
Technical details
Vulnerability class: missing authentication on a management endpoint that internally proxies to a privileged shell utility. An unauthenticated POST to a specific APM endpoint allows command injection executed as root. No working exploit is reproduced here; refer to the F5 advisory and KEV entry.
Detection & hunting
Hunting ideas
- APM access log: unexpected POSTs to
/mgmt/tm/util/bashor/mgmt/shared/. - Filesystem: new files in
/var/tmp/,/usr/local/www/, or anywhere under the iControl REST web root since disclosure. - Process list:
bash,python, orperlspawned by thehttpd/tmmuser. - Outbound: new egress from the appliance to non-corporate IPs.
- Identity: review SSO/VPN session creations from the appliance for the prior 30 days; revoke long-lived tokens.
Recommended actions
Immediate containment
- Restrict the BIG-IP management interface to a jump host or VPN-only
- Apply the F5 hotfix today (do not wait for the maintenance window if APM is internet-facing)
- Revoke active SSO/VPN sessions terminated by the affected appliance
Patch and verify
- Upgrade to BIG-IP 17.1.2 or 16.1.5
- Verify the patched version with tmsh show /sys version
- Confirm the APM virtual server returns expected behavior on the fixed endpoint
Harden
- Move BIG-IP management to an out-of-band network
- Enforce phishing-resistant MFA on appliance admin accounts
- Enable remote log forwarding to your SIEM if not already in place
Monitor
- Add APM access-log signatures for the known indicators above
- Track CISA KEV updates and F5 advisories for follow-on CVEs in the same code path
Compliance relevance
Sources
Disclaimer: CyberBrief HQ articles are for informational purposes only and do not constitute security advice for any specific environment. Always validate guidance against your own controls and vendor advisories before acting.