Latest F5 BIG-IP vulnerability: CVE-2025-53521 #
On October 15, 2025, F5 disclosed a denial of service vulnerability, designated CVE-2025-53521, in F5 BIG-IP Access Policy Manager (APM).
On Friday, March 27, 2026, F5 updated the CVE entry to indicate that the vulnerability is now known to be a remote code execution vulnerability (RCE) with a CVSS score of 9.8. This vulnerability is now known to allow a remote, unauthenticated attacker to perform remote code execution.
This vulnerability is known to be exploited in the wild and was added to the CISA.gov Known Exploited Vulnerabilities (KEV) list on March 27, 2026.
The following versions are affected:
- F5 BIG-IP Access Policy Manager versions 17.5.0 - 17.5.1 (inclusive)
- F5 BIG-IP Access Policy Manager versions 17.1.0 - 17.1.2 (inclusive)
- F5 BIG-IP Access Policy Manager versions 16.1.0 - 16.1.6 (inclusive)
- F5 BIG-IP Access Policy Manager versions 15.1.0 - 15.1.10 (inclusive)
What is F5 BIG-IP Access Policy Manager (APM)? #
F5 BIG-IP Access Policy Manager (APM) is a software module on F5 BIG-IP appliances that acts as an identity-aware proxy and VPN.
What is the impact? #
Successful exploitation of this vulnerability would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are any updates or workarounds available? #
Upgrade affected versions of F5 BIG-IP Access Policy Manager to the latest patched version.
- 17.5.x upgrade to 17.5.1.3 or later
- 17.1.x upgrade to 17.1.3 or later
- 16.1.x upgrade to 16.1.6.1 or later
- 15.1.x upgrade to 15.1.10.8 or later
How do I find F5 Big-IP assets with runZero? #
From the Software Inventory, use the following query to locate potentially affected systems:
vendor:=F5 AND product:="BIG-IP Access Policy Manager"October 2025: CISA Emergency Directive #
On October 15, 2025, CISA issued an emergency directive to mitigate vulnerabilities on F5 Big-IP appliances. According to the directive, the general guidance is to "inventory F5 BIG-IP products, evaluate if the networked management interfaces are accessible from the public internet, and apply newly released updates from F5."
What is F5 Big-IP? #
F5 Big-IP appliances provide application delivery and security services to enhance security and improve performance of network applications.
What is the impact? #
According to the directive, "a nation-state affiliated actor compromised F5 systems and exfiltrated data, including portions of the Big-IP proprietary source code and vulnerability information". The emergency directive specifically calls out "all instances of F5 BIG-IP hardware devices and F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IP IQ software, and BNK / CNF". Organizations should apply the latest vendor updates and disconnect any affected publicly-connected devices that have reached their end-of-support date.
For more information, refer directly to the CISA emergency directive.
How do I find F5 Big-IP assets with runZero? #
From the Asset Inventory, use the following query to locate potentially affected systems:
os:="F5%"May 2022: CVE-2022-1388 #
In May 2022, technology vendor F5 published information on over 40 vulnerabilities, mostly affecting their BIG-IP line of products. While these vulnerabilities included a mix of types and severities, a particular authentication bypass vulnerability that affected all BIG-IP modules was concerning enough that CISA specifically called it out.
What was the impact? #
Known as CVE-2022-1388 (CVSS “critical” score of 9.8), a vulnerable BIG-IP target could allow for takeover by an unauthenticated attacker via network connection or management port. Once connected to a vulnerable target, successful exploitation was achieved via a crafted HTTP request sent by the attacker, bypassing iControl REST authentication and providing the attacker full access and control. F5 did add that there was no data plane exposure via exploitation of this vulnerability, rather "this being a control plane issue only".
Were updates available? #
Patches were made available by F5 for CVE-2022-1388, as well for many of the other vulnerabilities included in their security advisory overview. Guidance also included mitigation steps if immediate or near-term patching was not an option.
