F5 BIG-IP Vulnerability Reclassified as RCE, Under Exploitation

APPLICATION SECURITY CYBERATTACKS & DATA BREACHES CYBER RISK VULNERABILITIES & THREATS NEWS F5 BIG-IP Vulnerability Reclassified as RCE, Under Exploitation CVE-2025-53521 was initially disclosed in October as a high-severity denial-of-service (DoS) flaw, but new information has revealed the bug is actually much more dangerous. Rob Wright,Senior News Director,Dark Reading March 30, 2026 3 Min Read SOURCE: SOPA IMAGES LIMITED VIA ALAMY STOCK PHOTO A critical security vulnerability in F5's BIG-IP application security product line, which was first disclosed in October as a high-severity denial-of-service (DoS) flaw, is under active exploitation in the wild. F5 on Saturday also re-categorized CVE-2025-53521 as a remote code execution (RCE) flaw with a 9.8 CVSS score. The vulnerability initially was disclosed and patched on Oct. 15, when it was described as a DoS bug for the BIG-IP Access Policy Manager, with a CVSS score of 7.5. Because of "new information obtained in March 2026," the CVE was revised as an RCE flaw with a significantly higher severity rating, according to F5's updated advisory. It's unclear what the new information entailed. Dark Reading contacted F5 for comment but the company did not respond by press time. CVE-2025-53521 Under Attack F5 also warned in the updated advisory that CVE-2025-53521 has been exploited in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on Friday. Related:AI-Driven Code Surge Is Forcing a Rethink of AppSec According to F5, a threat actor can exploit the critical bug by sending "specific malicious traffic" to virtual servers configured with BIG-IP AMP, which would give them RCE capabilities.  BIG-IP AMP versions 17.5.0 to 17.5.1, 17.1.0 to 17.1.2, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10 are vulnerable. F5 urged customers to upgrade to a fixed version. The network security vendor also said BIG-IP systems in running in appliance mode, which restricts administrative access to the systems, are still vulnerable to the flaw. F5 separately published indicators of compromise (IoCs) for the exploitation activity against CVE-2025-53521. The company noted that in cases of the successful deployment of malicious software tracked as c05d5254, organizations may detect files on disk such as /run/bigtlog.pipe and /run/bigstart.ltm, as well as mismatches of file sizes, hashes, and timestamps for known good versions of known good versions of /usr/bin/umount and /usr/sbin/httpd. The IoCs also included log entries, commands, and other tactics, techniques, and procedures used by the attackers.  Cybersecurity vendor Defused, meanwhile, said it observed scanning activity for CVE-2025-53521 following the addition of the flaw to CISA's KEV catalog.  "This actor is hitting /mgmt/shared/identified-devices/config/device-info, which is a F5 BIG-IP REST API endpoint used to retrieve system-level information, such as hostname, machine ID, and base MAC address," Defused said on Friday in a post on social media platform X. Related:Storm Brews Over Critical, No-Click Telegram Flaw It's unclear when the exploitation activity first began. Simo Kohonen, founder and CEO of Defused, tells Dark Reading that his company's BIG-IP honeypots are "more or less under attack consistently." However, he says the company has observed some notable changes in the threat activity since Friday, including new ways of fingerprinting F5 instances. "Generic mass exploiters consistently use the same type of payload, but we've observed minor deviations to the payloads in the past week, which suggests more actors out there are looking at mapping out F5 infrastructure," Kohonen says. F5 products have been frequently targeted by a wide range of threat actors. Last year, nation-state attackers breached F5 and stole sensitive data, including source code for the BIG-IP platform.  Given the increased risk posed by CVE-2025-53521, F5 customers should update their software and review their systems for any signs of compromise. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY Oracle Cloud Users Urged to Take Action by Jai Vijayan, Contributing Writer MAR 31, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity 5 Steps to Stop Ransomware With Zero Trust Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE