A critical security vulnerability in F5’s BIG-IP application security product line, which was first disclosed in October as a high-severity denial-of-service (DoS) flaw, is under active exploitation in the wild.
F5 on Saturday also re-categorized CVE-2025-53521 as a remote code execution (RCE) flaw with a 9.8 CVSS score. The vulnerability initially was disclosed and patched on Oct. 15, when it was described as a DoS bug for the BIG-IP Access Policy Manager, with a CVSS score of 7.5.
Because of “new information obtained in March 2026,” the CVE was revised as an RCE flaw with a significantly higher severity rating, according to F5’s updated advisory. It’s unclear what the new information entailed. Dark Reading contacted F5 for comment but the company did not respond by press time.
CVE-2025-53521 Under Attack
F5 also warned in the updated advisory that CVE-2025-53521 has been exploited in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on Friday.
According to F5, a threat actor can exploit the critical bug by sending “specific malicious traffic” to virtual servers configured with BIG-IP AMP, which would give them RCE capabilities.
BIG-IP AMP versions 17.5.0 to 17.5.1, 17.1.0 to 17.1.2, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10 are vulnerable. F5 urged customers to upgrade to a fixed version. The network security vendor also said BIG-IP systems in running in appliance mode, which restricts administrative access to the systems, are still vulnerable to the flaw.
F5 separately published indicators of compromise (IoCs) for the exploitation activity against CVE-2025-53521. The company noted that in cases of the successful deployment of malicious software tracked as c05d5254, organizations may detect files on disk such as /run/bigtlog.pipe and /run/bigstart.ltm, as well as mismatches of file sizes, hashes, and timestamps for known good versions of known good versions of /usr/bin/umount and /usr/sbin/httpd.
The IoCs also included log entries, commands, and other tactics, techniques, and procedures used by the attackers.
Cybersecurity vendor Defused, meanwhile, said it observed scanning activity for CVE-2025-53521 following the addition of the flaw to CISA’s KEV catalog.
“This actor is hitting /mgmt/shared/identified-devices/config/device-info, which is a F5 BIG-IP REST API endpoint used to retrieve system-level information, such as hostname, machine ID, and base MAC address,” Defused said on Friday in a post on social media platform X.
It’s unclear when the exploitation activity first began. Simo Kohonen, founder and CEO of Defused, tells Dark Reading that his company’s BIG-IP honeypots are “more or less under attack consistently.” However, he says the company has observed some notable changes in the threat activity since Friday, including new ways of fingerprinting F5 instances.
“Generic mass exploiters consistently use the same type of payload, but we’ve observed minor deviations to the payloads in the past week, which suggests more actors out there are looking at mapping out F5 infrastructure,” Kohonen says.
F5 products have been frequently targeted by a wide range of threat actors. Last year, nation-state attackers breached F5 and stole sensitive data, including source code for the BIG-IP platform.
Given the increased risk posed by CVE-2025-53521, F5 customers should update their software and review their systems for any signs of compromise.
