**H1:** Hackers Exploit Critical F5 BIG-IP Flaw, Patches Urgently Recommended
In a recent warning, cybersecurity firm F5 Networks has reclassified a BIG-IP APM (Access Policy Manager) vulnerability as critical-severity remote code execution (RCE), alerting that attackers are exploiting it to deploy webshells on unpatched devices. This critical flaw, tracked CVE-2025-53521, can be exploited by hackers without privileges to perform RCE when targeting BIG-IP APM systems with access policies configured on a virtual server.
F5 Networks has issued an advisory update, advising defenders to check their BIG-IP systems' disks, logs, and terminal history for signs of malicious activity. The company strongly recommends that users consult their corporate security policy for guidelines about incident handling procedures, including forensic best practices, specific to their organization.
**The BIG-IP APM Vulnerability: An Overview**
BIG-IP APM is a centralized access management proxy solution provided by F5 Networks, enabling administrators to secure and manage user access to organizations' networks, cloud applications, application programming interfaces (APIs), and more. The vulnerability, CVE-2025-53521, was initially categorized as a Denial-of-Service (DoS) flaw but has been reclassified due to new information obtained in March 2026.
This critical RCE vulnerability can be exploited by attackers without privileges when targeting BIG-IP APM systems with access policies configured on a virtual server. F5 warned that the original CVE remediation has been validated to address the RCE in fixed versions, emphasizing the importance of patching vulnerable systems immediately.
**Exploitation and Implications**
Internet threat-monitoring non-profit organization Shadowserver now tracks over 240,000 BIG-IP instances exposed online; however, there is no information on how many have a vulnerable configuration or have already been secured against CVE-2025-53521 attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the vulnerability to its list of actively exploited flaws and ordered federal agencies to secure their BIG-IP APM systems by midnight on Monday, March 30.
"Cyber threats are a frequent attack vector for malicious actors, posing significant risks to the federal enterprise," CISA warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
In recent years, BIG-IP vulnerabilities have been exploited by nation-state and cybercrime threat groups to breach corporate networks, map internal servers, deploy data-wiping malware, hijack devices, and steal sensitive documents from victims' networks.
**Recommendations and Mitigation**
F5 strongly recommends that users follow these steps:
* Patch vulnerable systems immediately * Review BIG-IP APM configurations for access policies on virtual servers * Check disks, logs, and terminal history for signs of malicious activity * Consult corporate security policy for guidelines about incident handling procedures
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also recommends applying mitigations per vendor instructions or following applicable BOD 22-01 guidance for cloud services.
**Conclusion**
In conclusion, the critical F5 BIG-IP flaw has been exploited by hackers in attacks, emphasizing the importance of patching vulnerable systems immediately. With over 240,000 BIG-IP instances exposed online, it is crucial that organizations take action to secure their systems against this RCE vulnerability. By following the recommended steps and consulting corporate security policies, defenders can mitigate the risks associated with CVE-2025-53521.
**Sources:**
* F5 Networks advisory update * U.S. Cybersecurity and Infrastructure Security Agency (CISA) alert * Shadowserver threat monitoring data