CISA Warns of F5 BIG-IP Vulnerability Actively Exploited in Attacks

Home Cyber Security CISA Warns of F5 BIG-IP Vulnerability Actively Exploited in Attacks The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed vulnerability affecting F5 BIG-IP systems to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw is being actively leveraged in real-world attacks. The vulnerability, tracked as CVE-2025-53521, was officially listed on March 27, 2026, with a remediation deadline of March 30, 2026, for federal agencies. CVE-2025-53521 is described as an unspecified vulnerability within F5 BIG-IP Access Policy Manager (APM) that could allow remote code execution (RCE). While technical details remain limited, the potential for unauthenticated or low-complexity exploitation has raised significant concern across the cybersecurity community, particularly given the widespread deployment of BIG-IP devices in enterprise and government networks. F5 BIG-IP Vulnerability Exploited CISA’s inclusion of the vulnerability in the KEV catalog confirms that threat actors are already exploiting the issue in the wild. Although there is currently no confirmed attribution or evidence linking the flaw to ransomware campaigns, the agency emphasized that vulnerabilities enabling RCE are frequently weaponized in post-compromise activities, including lateral movement and data exfiltration. Historically, F5 BIG-IP vulnerabilities have been attractive targets for both financially motivated groups and state-sponsored actors due to their role in traffic management, authentication, and secure application delivery. Exploitation of such systems can provide attackers with a high level of control over network infrastructure. CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply vendor-provided mitigations immediately or discontinue use of affected systems if patches or workarounds are unavailable. The directive falls under Binding Operational Directive (BOD) 22-01, which mandates the rapid remediation of vulnerabilities listed in the KEV catalog. F5 has issued guidance to address the issue, and organizations are strongly advised to follow official mitigation steps without delay. Security teams should also review logs and monitor for signs of compromise, particularly unusual administrative activity or unauthorized configuration changes within BIG-IP environments. The rapid addition of CVE-2025-53521 to the KEV catalog highlights a continuing trend of attackers targeting edge devices and network infrastructure components. These systems often sit at critical junctions within enterprise environments, making them high-value targets for initial access and persistence. Given the lack of detailed public disclosure, defenders should assume exploitation techniques may evolve quickly. Proactive measures such as network segmentation, strict access controls, and continuous monitoring are essential to reduce exposure. Organizations using F5 BIG-IP products should treat this vulnerability as a high-priority risk and act immediately to mitigate potential compromise. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security European Commission Confirms Cyberattack Following AWS Account Hack Cyber Security News Windows 11 and Server 2025 Update to Block Untrusted Cross-Signed Kernel Drivers by Default Cyber Security News CISA Adds Aquasecurity Trivy Scanner Vulnerability to KEV Catalog Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026