LiveActive security incident?Get immediate response
CVE Record

CVE-2025-53521: BigIP APM Vulnerability

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CriticalCVSS 9.8Known exploitedUpdated
Glexia's TakeHuman reviewedcritical

Security readout for executives and security teams

Plain-English summary

F5 BIG-IP devices with the APM access policy feature turned on can be hijacked by attackers sending crafted network traffic, letting them run their own commands on the device. Because BIG-IP often sits at the network edge handling VPN and application access, a successful attack hands over a critical control point. CISA has confirmed this flaw is being actively exploited, so treat it as an immediate risk.

Executive priority

Treat as an emergency change. BIG-IP APM is a remote-access gateway, and CISA has flagged this CVE as actively exploited, so unpatched edge devices are a likely path to a breach. Authorize out-of-cycle patching and confirm completion within days, not weeks.

Technical view

CVE-2025-53521 is a critical pre-authentication remote code execution flaw (CVSS 9.8, CWE-121 stack-based buffer overflow) affecting F5 BIG-IP when an APM access policy is bound to a virtual server. Network-reachable, unauthenticated attackers can trigger memory corruption to gain code execution. Affected versions noted include 17.5.0, 17.1.0, 16.1.0, and 15.1.0; End-of-Technical-Support builds were not evaluated by the vendor.

Likely exposure

Internet-facing or DMZ-deployed BIG-IP virtual servers configured with an APM access policy (VPN, webtop, SSO portals) are directly exposed. Internal-only APM virtual servers face lower but real risk from any attacker with network reach.

Exploitation context

Listed in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation. The flaw is unauthenticated and network-based, making it attractive for initial access, credential theft, and pivoting into internal networks behind the BIG-IP.

Researcher notes

CWE-121 plus a CVSS 9.8 unauthenticated network vector is consistent with a stack overflow reachable through APM request parsing. Public sources do not enumerate exact patched build numbers in this bundle, so cross-reference F5 K000156741 for the authoritative fixed-version matrix and any workaround guidance before declaring devices safe. EoTS builds are explicitly out of scope and should be replaced.

Mitigation direction

  • Apply the fixed versions identified in F5 advisory K000156741 on every affected BIG-IP appliance.
  • Until patched, restrict management and APM virtual server reachability to known administrative networks.
  • If APM is unused on a virtual server, remove the access policy binding to eliminate the attack path.
  • Retire or upgrade BIG-IP builds that are End of Technical Support, since they were not evaluated.
  • Rotate APM session secrets, admin credentials, and API tokens after patching as a precaution.

Validation and detection

  • Inventory BIG-IP devices and confirm software versions against F5 K000156741 fix list.
  • Identify virtual servers with an APM access policy attached using tmsh or the BIG-IP UI.
  • After patching, confirm version on each device and that APM virtual servers respond normally.
  • Review BIG-IP and APM logs for anomalous requests, crashes, or unexpected processes around the disclosure window.
  • Check CISA KEV and F5 advisory pages for any updates to affected versions or guidance.
Prepared
Reviewed
Confidence
high
Sources
4

Michael Williams reviewed this cited source version on .

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-121: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-53521 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
3Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

9.8Critical
CVSS 3.1 vector shape for CVE-2025-53521Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
F5BIG-IP17.5.0, 17.1.0, 16.1.0, 15.1.0unknown
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-121 · source CWE mapping

Stack-based Buffer Overflow

Stack-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.