Critical flaw in F5 BIG-IP faces wide exploitation risk
The company revised a security advisory as newly disclosed information heightens the potential impact.
Published April 2, 2026
David Jones
Reporter
Share
License
Add us on Google
The F5 tower in Seattle, Wash. The company is warning of a critical vulnerability in BIG-IP Access Policy Manager. Courtesy of F5 Press Kit
A critical flaw in F5 BIG-IP Access Policy Manager currently is under exploitation, and company officials warn the risk is far greater than previously known.
The company in October 2025 disclosed the vulnerability, tracked as CVE-2025-53521, as a denial-of-service flaw. However, new information led F5 to recategorize the flaw, indicating a risk of remote code execution, according to an update Wednesday.
The new information shows that remote code execution can take place when BIG-IP APM access policy is configured on a virtual server, according to the company.
Shadowserver Foundation on Wednesday released data showing more than 17,000 vulnerable IPs worldwide as of Tuesday.
When F5 originally released information listing the vulnerability as a denial-of-service issue, “it didn’t immediately signal urgency, and many system administrators likely prioritized it accordingly,” watchTowr founder and CEO Benjamin Harris told Cybersecurity Dive.
Harris said his researchers are seeing in-the-wild exploitation and warned that security teams would need to assess whether they’ve already been impacted.
The Cybersecurity and Infrastructure Security Agency added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on Friday. The agency gave Federal Civilian Executive Branch agencies a deadline of March 30 to remediate their systems, signaling the urgency of the situation.
The National Cyber Security Centre in the U.K. issued an advisory to alert security teams about the change, noting that BIG-IP APM is widely used in large enterprises.
Add us on Google
Share
PURCHASE LICENSING RIGHTS
Filed Under: Vulnerability