Cyber Security News

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

CybersecurityNews
CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation
CISA added a critical F5 BIG-IP Access Policy Manager flaw, CVE-2025-53521 (CVSS v4 9.3), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation that can lead to remote code execution. F5 confirmed exploitation, published file and log indicators plus TTPs to detect compromise, and advised patched fixes for affected versions with FCEB agencies required to remediate by March 30, 2026. #CVE202553521 #F5BIGIP

Keypoints

  • CVE-2025-53521 allows pre-auth remote code execution in BIG-IP APM and has a CVSS v4 score of 9.3.
  • CISA added the flaw to its KEV catalog citing active exploitation in the wild.
  • F5 reclassified the issue from DoS to RCE after new information and confirmed exploitation in vulnerable versions.
  • Indicators include /run/bigtlog.pipe, mismatched /usr/bin/umount or /usr/sbin/httpd hashes/sizes, and audit logs showing localhost iControl REST API access.
  • Affected versions span 15.1.0–17.5.1 with fixes released; FCEB agencies must apply patches by March 30, 2026.

Read More: https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html