**Hacker Pranks Exclusive:** Over 14,000 F5 BIG-IP APM Instances Remain Exposed to Critical RCE Attacks

In a concerning revelation, internet threat-monitoring non-profit Shadowserver has discovered that over 14,000 F5 BIG-IP Access Policy Manager (APM) instances are still exposed online, leaving them vulnerable to remote code execution (RCE) attacks. This alarming number is despite the vulnerability being disclosed five months ago and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordering federal agencies to secure their BIG-IP APM systems by midnight on Monday.

F5's centralized access management proxy solution, BIG-IP APM, is designed to help administrators secure access to their organizations' networks, cloud, applications, and application programming interfaces (APIs). However, a critical-severity RCE vulnerability, tracked as CVE-2025-53521, has been exploited by attackers without privileges to gain remote code execution on unpatched BIG-IP APM systems with access policies configured on a virtual server.

**The Vulnerability: A History of Exploitation**

The vulnerability was initially disclosed in October 2022 as a denial-of-service (DoS) vulnerability but was later reclassified as an RCE bug due to new information obtained in March 2026. F5 warned in a Sunday advisory update that this reclassification was necessary, and the original CVE remediation has been validated to address the RCE in the fixed versions.

"The original vulnerability is being re-categorized to an RCE," F5 stated. "We have learned that this vulnerability has been exploited in the vulnerable BIG-IP versions."

**Shadowserver's Findings: Over 17,100 IPs with BIG-IP APM Fingerprints**

Internet threat-monitoring non-profit Shadowserver said on Wednesday that it now tracks over 17,100 IPs with BIG-IP APM fingerprints. This staggering number is a stark reminder of the importance of securing these instances and patching vulnerabilities promptly.

While there is no information on how many BIG-IP APM instances exposed on the Internet have a vulnerable configuration, F5 has shared published indicators of compromise (IOCs) to help defenders identify potential threats. The company also advises checking disks, logs, and terminal history of BIG-IP devices for signs of malicious activity.

**Prevention and Response: Guidance from F5**

F5 provides guidance on the measures to take after detecting evidence of compromise, including rebuilding the affected systems from scratch. If customers are unsure when the system was compromised, user configuration set (UCS) backups may have been created after the compromise occurred.

"F5 strongly recommends that customers rebuild the configuration from a known good source because UCS files from compromised systems can contain persistent malware," the company said.

**The Importance of Cybersecurity: Protecting Your Network**

This vulnerability highlights the importance of prioritizing cybersecurity and regularly updating software to prevent attacks. BIG-IP vulnerabilities have been targeted by both nation-state and cybercrime threat groups in recent years, leading to breaches, data theft, and other malicious activities.

By staying informed about potential threats and taking proactive measures to secure your network, you can protect your organization from falling victim to these types of attacks.

**Take Action Now: Patch Your BIG-IP APM Instances**

In conclusion, the discovery of over 14,000 F5 BIG-IP APM instances exposed to RCE attacks serves as a wake-up call for organizations to prioritize cybersecurity and patch vulnerabilities promptly. By taking immediate action to secure your BIG-IP APM instances, you can protect your network from potential threats and prevent costly breaches.

As a responsible cybersecurity blog, we urge all readers to review their systems and take the necessary steps to mitigate this vulnerability. Don't wait until it's too late – patch your BIG-IP APM instances now and stay ahead of the threat landscape.