Ethical Hacking News
A critical vulnerability in F5 BIG-IP Access Policy Manager (APM) has been added to the Known Exploited Vulnerabilities (KEV) catalog by CISA, citing evidence of active exploitation. This vulnerability can potentially allow a threat actor to achieve remote code execution. With Federal Civilian Executive Branch agencies having until March 30, 2026, to apply the fixes, it is crucial for organizations to prioritize patch management and ensure their networks are secure against this new threat.
CISA has added a critical security flaw in F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2025-53521, allows remote code execution and has a CVSS v4 score of 9.3. Active exploitation has been observed, with FCEB agencies given until March 30, 2026, to apply fixes. The issue impacts versions 17.5.0-17.5.1, 17.1.0-17.1.2, and 16.1.0-16.1.6 of BIG-IP APM. System administrators are advised to patch their systems immediately to prevent exploitation.
The cybersecurity landscape has witnessed a significant shift in recent times, as threat actors continue to push the boundaries of exploitation. In line with this evolving threat paradigm, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
This vulnerability in question is CVE-2025-53521, which carries a CVSS v4 score of 9.3 and can potentially allow a threat actor to achieve remote code execution. When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to this devastating outcome.
The shortcoming was initially categorized and remediated as a denial-of-service (DoS) vulnerability with a CVSS v4 score of 8.7. However, F5 has since updated its advisory to confirm that the vulnerability "has been exploited in the vulnerable BIG-IP versions." Moreover, the company has shared several indicators that can be used to assess if the system has been compromised.
These indicators include the presence of /run/bigtlog.pipe and/or /run/bigstart.ltm, mismatch of file hashes when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd, mismatch of file sizes or timestamps when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd, an entry in "/var/log/restjavad-audit..log" showing a local user accessing the iControl REST API from localhost, an entry in "/var/log/auditd/audit.log." showing a local user accessing the iControl REST API from localhost to disable SELinux, and log messages in "/var/log/audit" that show the results of a command being run in the audit log.
Furthermore, other TTPs (threat tactics) observed include modifications to the underlying components that the system integrity checker, sys-eicheck, relies on, resulting in a failure of the tool, specifically /usr/bin/umount and/or /usr/sbin/httpd, indicating unexpected changes to the system software as mentioned above. HTTP/S traffic from the BIG-IP system that contains HTTP 201 response codes and CSS content-type to disguise the attacker's activities.
Changes to the following three files - /var/sam/www/webtop/renderer/apm_css.php3, /var/sam/www/webtop/renderer/full_wt.php3, and /var/sam/www/webtop/renderer/webtop_popup_css.php3 – although their presence alone does not signal a security issue – have been observed by F5. It is worth noting that the webshells have been observed to work in memory only, meaning the files listed above might not be modified.
The issue impacts the following versions - 17.5.0 - 17.5.1 (Fixed in version 17.5.1.3), 17.1.0 - 17.1.2 (Fixed in version 17.1.3), and 16.1.0 - 16.1.6 (Fixed in version 16.1.6.1). Furthermore, the issue impacts the following versions - 15.1.0 - 15.1.10 (Fixed in version 15.1.10.8).
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been given until March 30, 2026, to apply the fixes to secure their networks.
According to Benjamin Harris, watchTowr CEO and founder, "When F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn't immediately signal urgency, and many system administrators likely prioritized it accordingly." However, he added that "Fast forward to today's big 'yikes' moment: the situation has changed significantly. What we're observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That's a very different risk profile than what was initially communicated."
The recent addition of CVE-2025-53521 to the KEV catalog highlights the importance of keeping systems up-to-date and patched, especially for organizations that rely on F5 BIG-IP APM.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Adds-Critical-F5-BIG-IP-APM-Vulnerability-to-Known-Exploited-Vulnerabilities-KEV-Catalog-ehn.shtml
https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html
https://coastlinecyber.com/cisa-adds-one-known-exploited-vulnerability-to-catalog-99/
https://nvd.nist.gov/vuln/detail/CVE-2025-53521
https://www.cvedetails.com/cve/CVE-2025-53521/
Published: Sat Mar 28 03:18:53 2026 by llama3.2 3B Q4_K_M
