F5 Networks has reclassified a BIG-IP APM vulnerability from DoS to critical remote code execution (CVE-2025-53521) after discovering attackers are exploiting it to deploy webshells on unpatched devices. F5 and CISA have issued advisories with IOCs and urgent patching guidance while Shadowserver reports over 240,000 BIG-IP instances exposed online. #BIGIPAPM #CVE-2025-53521
Keypoints
- F5 reclassified a previously patched DoS bug as a critical RCE after evidence of exploitation in the wild.
- The flaw, tracked as CVE-2025-53521, allows unauthenticated remote code execution on BIG-IP APM with access policies on a virtual server.
- Attackers have used the issue to deploy webshells; F5 published IOCs and urged forensic checks of disks, logs, and terminal history.
- CISA added the vulnerability to its actively exploited list and ordered federal agencies to secure affected BIG-IP APM systems immediately.
- Shadowserver reports over 240,000 BIG-IP instances exposed online, increasing the urgency for organizations to verify and patch vulnerable systems.