If you manage F5 BIG-IP Access Policy Manager (APM) anywhere in your environment, this one demands your immediate attention.
On March 27, 2026, CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation of a critical flaw in F5 BIG-IP APM. Federal Civilian Executive Branch (FCEB) agencies were given until March 30, 2026 — just 72 hours — to remediate. That kind of deadline reflects just how serious CISA considers this threat.
What Happened — and Why the Urgency
This vulnerability has a bit of a history that makes it particularly tricky. CVE-2025-53521 was originally disclosed by F5 back in October 2025 as part of their quarterly security advisory cycle. At the time, it was categorized as a denial-of-service (DoS) vulnerability with a CVSS v4 score of 8.7 — serious, but not immediately alarming for organizations that were still working through their patch queues.
Fast forward to March 2026. F5 revised its advisory based on new information, reclassifying the vulnerability as an unauthenticated remote code execution (RCE) flaw — a fundamentally different threat class. The updated CVSS scores reflect that shift: 9.8 on CVSS v3.1 and 9.3 on CVSS v4. Days later, CISA confirmed active exploitation and added it to KEV.
When an APM access policy is configured on a virtual server, an attacker can send specially crafted malicious traffic to trigger RCE — without any authentication required. Following the KEV addition, researchers observed acute scanning activity targeting the /mgmt/shared/identified-devices/config/device-info REST API endpoint, which attackers appear to be using to fingerprint and identify vulnerable devices in the wild.
Who Is Affected
The vulnerability impacts F5 BIG-IP APM across four version branches:
| Branch | Affected Versions | Fixed Version |
|---|---|---|
| 17.5.x | 17.5.0 – 17.5.1 | 17.5.2 |
| 17.1.x | 17.1.0 – 17.1.2 | 17.1.3 |
| 16.1.x | 16.1.0 – 16.1.6 | 16.1.7 |
| 15.1.x | 15.1.0 – 15.1.10 | 15.1.11 |
Important detail: CVE-2025-53521 is only exploitable when an APM access policy is configured on a virtual server. If BIG-IP is deployed purely for other functions (LTM, DNS, etc.) without APM policies in play, the attack vector is not present. But in my experience, most organizations don't have a clean, real-time answer to "which of our BIG-IP devices have APM policies active?" — and that's exactly where things get complicated.
What CISA Is Requiring
For FCEB agencies, CISA's KEV listing comes with a mandatory remediation deadline of March 30, 2026. Agencies are required to either apply the vendor-supplied patches to fixed versions (17.5.2, 17.1.3, 16.1.7, or 15.1.11) or document an accepted risk determination per their internal processes.
Even for organizations outside the federal government, CISA's KEV catalog is the clearest public signal that a vulnerability is being actively weaponized. If you haven't prioritized this one yet, now is the time.
How Forward Enterprise Can Help
This is the kind of situation where network visibility becomes operationally critical — not just nice to have. Here's how I've seen Forward Enterprise help teams move fast when a threat like this lands:
1. Find Every Affected Device — Instantly, with Context
Forward Enterprise's network digital twin continuously collects configuration and state data from every device in your environment and cross-references it against the NIST NVD and vendor-specific advisories. That means when a KEV entry like this drops, you don't have to build a query from scratch — Forward has already done the analysis. What you need is a way to surface the results and act on them quickly.
To that end, I put together an NQE query you can drop directly into Forward Enterprise to identify any device in your network flagged as vulnerable to CVE-2025-53521. The query embeds the full CISA KEV catalog entry for this vulnerability — including the required action, due date, and F5's advisory links — so everything your team needs to triage and report is in one place.
/*
Find F5 BIG-IP devices susceptible to CVE-2025-53521. While the directive is written for federal agencies,
the threat is relevant to any organization using F5 BIG-IP platforms.
Organizations should use the CISA Binding Operational Directive 22-01 catalog as an input to their vulnerability management prioritization framework.
More info on the CISA website: https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities.
*/
F5RCE =
"""json
[{
"title": "F5 BIG-IP APM Remote Code Execution Vulnerability",
"vulnerabilities": [
{
"cveID": "CVE-2025-53521",
"vendorProject": "F5",
"product": "BIG-IP",
"vulnerabilityName": "F5 BIG-IP Unspecified Vulnerability",
"dateAdded": "2026-03-27",
"shortDescription": "F5 BIG-IP APM contains an unspecified vulnerability that could allow a threat actor to achieve remote code execution.",
"requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"dueDate": "2026-03-30",
"knownRansomwareCampaignUse": "Unknown",
"notes": "Please adhere to F5\u2019s guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible F5 products affected by this vulnerability. For more information please see: https:\/\/my.f5.com\/manage\/s\/article\/K000156741 ; https:\/\/my.f5.com\/manage\/s\/article\/K000160486 ; https:\/\/my.f5.com\/manage\/s\/article\/K11438344 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53521",
"cwes": []
}
]
}]
""";
getAllF5RCE =
foreach r in F5RCE
foreach vuln in r.vulnerabilities
select vuln.cveID;
getF5RCEAttr(NistCve) =
foreach r in F5RCE
foreach vuln in r.vulnerabilities
where matches(vuln.cveID, NistCve)
select {
F5RCEAttrId: vuln.cveID,
F5RCEAttrName: vuln.vulnerabilityName,
F5RCEAttrAction: vuln.requiredAction,
F5RCEAttrRansom: if vuln.knownRansomwareCampaignUse == "Known"
then true
else false,
F5RCEAttrNotes: vuln.notes,
F5RCEAttrDue: vuln.dueDate,
F5RCEAttrVendor: vuln.vendorProject,
F5RCEAttrProd: vuln.product
};
getImpactingCves(device) =
foreach cveFinding in device.cveFindings
where cveFinding.isVulnerable
select cveFinding;
getByBasis(impactingCves, basis) =
foreach cveFinding in impactingCves
where cveFinding.basis == basis
select cveFinding.cveId;
foreach device in network.devices
let impactingCves = getImpactingCves(device)
foreach deviceCVE in impactingCves
let F5RCEResult = getF5RCEAttr(deviceCVE.cveId)
foreach i in F5RCEResult
where matches(i.F5RCEAttrId, deviceCVE.cveId)
select {
violation: true,
Device: device.name,
NistCVE: deviceCVE.cveId,
Basis: deviceCVE.basis,
F5RCEId: i.F5RCEAttrId,
F5RCEName: i.F5RCEAttrName,
Remedy: i.F5RCEAttrAction,
KnownRansomWare: i.F5RCEAttrRansom,
Notes: i.F5RCEAttrNotes,
F5RCEVendor: i.F5RCEAttrVendor,
F5RCEProd: i.F5RCEAttrProd
}A few things worth noting about how this works. Rather than doing a raw version string comparison, the query reads from device.cveFindings — Forward Enterprise's own CVE analysis layer, which already accounts for device OS version, enabled features, and vendor-specific advisory data beyond what's in the NIST NVD alone. That means the isVulnerable flag it filters on reflects a more accurate determination of actual exposure, not just whether a device's version number falls within a vulnerable range. The Basis field in the output will tell you how that determination was made, which is useful when explaining findings to stakeholders or auditors.
The results surface each vulnerable device alongside the CVE ID, required remediation action, due date, ransomware association status, and the F5 advisory links — everything you need to kick off a remediation workflow without pivoting between tools.
2. Prioritize by Real Exposure, Not Just Version
Because CVE-2025-53521 is only exploitable when an APM access policy is active on a virtual server, you need more than a version check — you need a configuration-aware determination of risk. Forward's enhanced CVE analysis already factors in whether the relevant features are enabled, which means the query above is returning devices with actual exposure, not just version matches.
3. Validate Network Exposure and Attack Paths
Knowing a device is vulnerable is one thing. Understanding whether attackers on the internet can actually reach the TMM processing layer is another. Forward Enterprise's path analysis lets you model reachability to your BIG-IP virtual server IPs from external segments, so you can quickly answer: "Is this vulnerable device internet-exposed, or is it protected behind other controls?"
That context matters enormously when you're triaging under a 72-hour deadline and can't patch everything simultaneously.
4. Confirm Remediation and Track Compliance Over Time
Once patches are applied, Forward Enterprise gives you verifiable evidence that devices have been updated to the fixed versions. You can set up a continuous compliance check that flags any BIG-IP device still running a vulnerable version — including devices that might be re-deployed or missed in the initial remediation sweep.
This is especially valuable for teams that need to report remediation status to leadership or auditors in the wake of a CISA directive.
My Take
What strikes me about CVE-2025-53521 is how it illustrates a challenge we talk about a lot at Forward: the gap between when a patch is available and when teams actually know they need it — and can prove they've applied it. Many organizations patched this back in October 2025 thinking they were addressing a DoS risk. They had no way of knowing the threat model had fundamentally changed until F5 revised the advisory five months later.
That's not a failure of those security teams. It's a structural problem with how vulnerability intelligence propagates. The answer isn't to manually re-audit your environment every time a CVE gets reclassified — it's to have a continuously updated, queryable model of your network that lets you answer these questions on demand.
If you're working through your response to CVE-2025-53521 and want to talk through how Forward Enterprise can help you find affected devices, model exposure, or track remediation, feel free to reply here or reach out directly.
