**14,000+ F5 BIG-IP APM Instances Still Exposed to RCE Attacks: Urgent Patching Required**

A critical-severity remote code execution (RCE) vulnerability in the F5 BIG-IP Access Policy Manager (APM) solution has left over 14,000 instances exposed online, making them vulnerable to attacks. The flaw, tracked as CVE-2025-53521, was initially disclosed as a denial-of-service (DoS) issue but was reclassified as an RCE bug in March 2026. Attackers without privileges are exploiting this security issue to gain remote code execution on unpatched BIG-IP APM systems with access policies configured on a virtual server.

F5, the manufacturer of the BIG-IP APM solution, has warned that attackers can exploit this vulnerability to breach corporate networks, hijack devices, deploy data-wiping malware, map internal servers, and steal sensitive data. The company has also shared published indicators of compromise (IOCs) and advised defenders to check the disks, logs, and terminal history of BIG-IP devices for signs of malicious activity.

**The Vulnerability: A Critical RCE Bug**

The F5 BIG-IP APM solution is designed to help administrators secure access to their organizations' networks, cloud, applications, and application programming interfaces (APIs). However, a critical-severity RCE vulnerability in the solution has left over 14,000 instances exposed online. This vulnerability was initially disclosed as a DoS issue but was reclassified as an RCE bug in March 2026.

According to F5, attackers without privileges can exploit this security issue to gain remote code execution on unpatched BIG-IP APM systems with access policies configured on a virtual server. The company has also warned that this vulnerability has been exploited in the vulnerable BIG-IP versions.

**Exposure: Over 14,000 BIG-IP Instances Still Vulnerable**

Despite the urgency of the situation, over 14,000 BIG-IP APM instances remain exposed to CVE-2025-53521 attacks. Shadowserver, an internet threat-monitoring non-profit, has tracked over 17,100 IPs with BIG-IP APM fingerprints. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure their BIG-IP APM systems by midnight on Monday.

**Patching and Mitigation: Urgent Action Required**

F5 has provided guidance on the measures to take after detecting evidence of compromise, including rebuilding the affected systems from scratch. The company has also shared published indicators of compromise (IOCs) and advised defenders to check the disks, logs, and terminal history of BIG-IP devices for signs of malicious activity.

**Conclusion: Urgent Patching Required**

The F5 BIG-IP APM RCE vulnerability is a critical issue that requires immediate attention. With over 14,000 instances exposed online, it's essential that administrators take urgent action to patch their systems and protect against attacks. F5 has provided guidance on the measures to take after detecting evidence of compromise, including rebuilding the affected systems from scratch.

**Recommendations**

1. **Patch BIG-IP APM systems:** Apply the latest patches for CVE-2025-53521 to prevent exploitation. 2. **Check for indicators of compromise (IOCs):** Use F5's published IOCs to check your systems for signs of malicious activity. 3. **Rebuild affected systems from scratch:** If you detect evidence of compromise, rebuild the affected systems from a known good source to ensure they are free from persistent malware.

Urgent patching is required to prevent attacks and protect against data breaches. Don't wait until it's too late – take action now to secure your BIG-IP APM systems.