Shadowserver has found over 14,000 F5 BIG-IP APM instances exposed online amid active attacks exploiting CVE-2025-53521, a flaw recently reclassified from a denial-of-service to a remote code execution vulnerability. F5 has published IOCs and remediation guidance, urging checks of disks, logs, and terminal history and recommending rebuilding systems from known-good sources, while CISA ordered federal agencies to secure their BIG-IP APM systems. #CVE-2025-53521 #BIG-IP_APM
Keypoints
- Shadowserver reports over 14,000 BIG-IP APM instances remain exposed to attacks.
- CVE-2025-53521 was disclosed as a DoS in October and reclassified to an RCE after new information in March 2026.
- Attackers can achieve remote code execution on unpatched BIG-IP APM systems with access policies on virtual servers.
- F5 published indicators of compromise and advises checking disks, logs, and terminal history and rebuilding from known-good sources because UCS backups may be tainted.
- CISA ordered federal agencies to secure affected BIG-IP APM systems, and BIG-IP vulnerabilities have been frequently targeted by nation-state and cybercrime groups.