Security readout for executives and security teams
Plain-English summary
F5 BIG-IP devices with the APM access policy feature turned on can be hijacked by attackers sending crafted network traffic, letting them run their own commands on the device. Because BIG-IP often sits at the network edge handling VPN and application access, a successful attack hands over a critical control point. CISA has confirmed this flaw is being actively exploited, so treat it as an immediate risk.
Executive priority
Treat as an emergency change. BIG-IP APM is a remote-access gateway, and CISA has flagged this CVE as actively exploited, so unpatched edge devices are a likely path to a breach. Authorize out-of-cycle patching and confirm completion within days, not weeks.
Technical view
CVE-2025-53521 is a critical pre-authentication remote code execution flaw (CVSS 9.8, CWE-121 stack-based buffer overflow) affecting F5 BIG-IP when an APM access policy is bound to a virtual server. Network-reachable, unauthenticated attackers can trigger memory corruption to gain code execution. Affected versions noted include 17.5.0, 17.1.0, 16.1.0, and 15.1.0; End-of-Technical-Support builds were not evaluated by the vendor.
Likely exposure
Internet-facing or DMZ-deployed BIG-IP virtual servers configured with an APM access policy (VPN, webtop, SSO portals) are directly exposed. Internal-only APM virtual servers face lower but real risk from any attacker with network reach.
Exploitation context
Listed in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation. The flaw is unauthenticated and network-based, making it attractive for initial access, credential theft, and pivoting into internal networks behind the BIG-IP.
Researcher notes
CWE-121 plus a CVSS 9.8 unauthenticated network vector is consistent with a stack overflow reachable through APM request parsing. Public sources do not enumerate exact patched build numbers in this bundle, so cross-reference F5 K000156741 for the authoritative fixed-version matrix and any workaround guidance before declaring devices safe. EoTS builds are explicitly out of scope and should be replaced.
Mitigation direction
- Apply the fixed versions identified in F5 advisory K000156741 on every affected BIG-IP appliance.
- Until patched, restrict management and APM virtual server reachability to known administrative networks.
- If APM is unused on a virtual server, remove the access policy binding to eliminate the attack path.
- Retire or upgrade BIG-IP builds that are End of Technical Support, since they were not evaluated.
- Rotate APM session secrets, admin credentials, and API tokens after patching as a precaution.
Validation and detection
- Inventory BIG-IP devices and confirm software versions against F5 K000156741 fix list.
- Identify virtual servers with an APM access policy attached using tmsh or the BIG-IP UI.
- After patching, confirm version on each device and that APM virtual servers respond normally.
- Review BIG-IP and APM logs for anomalous requests, crashes, or unexpected processes around the disclosure window.
- Check CISA KEV and F5 advisory pages for any updates to affected versions or guidance.
Public sources used
Michael Williams reviewed this cited source version on .
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-121: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2025-53521 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.8 (3.1)
- Known Exploited
- Yes
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CISA KEV status
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
9.8CriticalVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source materials
- CVE List V5 sourceCVE List V5
- https://my.f5.com/manage/s/article/K000156741CVE reference · vendor-advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521CVE reference · government-resource
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Stack-based Buffer Overflow
Stack-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
