Detections
Analytics

CVE-2025-53521

critical

Description

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References

https://my.f5.com/manage/s/article/K000156741

https://securityaffairs.com/190384/security/attackers-exploit-rce-flaw-as-14000-f5-big-ip-apm-instances-remain-exposed.html

https://www.bleepingcomputer.com/news/security/over-14-000-f5-big-ip-apm-instances-still-exposed-to-rce-attacks/

https://www.infosecurity-magazine.com/news/ncsc-urges-immediate-patching-f5/

https://hackread.com/critical-f5-big-ip-flaw-upgrad-to-9-8-rce-exploited/

https://www.securityweek.com/f5-big-ip-dos-flaw-upgraded-to-critical-rce-now-exploited-in-the-wild/

https://www.databreachtoday.com/under-fire-attackers-target-flaws-in-f5-citrix-gear-a-31289

https://www.darkreading.com/application-security/fortinet-big-ip-vulnerability-reclassified-rce-exploitation

https://www.darkreading.com/application-security/f5-big-ip-vulnerability-reclassified-rce-exploitation

https://www.bleepingcomputer.com/news/security/hackers-now-exploit-critical-f5-big-ip-flaw-in-attacks-patch-now/

https://www.helpnetsecurity.com/2026/03/28/big-ip-apm-vulnerability-cve-2025-53521-exploited/

https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html

https://securityaffairs.com/190076/uncategorized/u-s-cisa-adds-a-flaw-in-f5-big-ip-amp-to-its-known-exploited-vulnerabilities-catalog.html

https://www.cisa.gov/news-events/alerts/2026/03/27/cisa-adds-one-known-exploited-vulnerability-catalog

https://my.f5.com/manage/s/article/K000156572

https://www.tenable.com/blog/frequently-asked-questions-about-the-august-2025-f5-security-incident

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521

Details

Source: Mitre, NVD

Published: 2025-10-15

Updated: 2026-03-31

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: Critical

EPSS

EPSS: 0.41408

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability of Interest