F5 BIG-IP APM CVE-2025-53521: What Was "Denial of Service" Is Now Confirmed RCE — and It's Being Exploited

CybrPulse

CybrPulse

3 min read
F5 BIG-IP APM CVE-2025-53521: What Was "Denial of Service" Is Now Confirmed RCE — and It's Being Exploited

If you run F5 BIG-IP APM and haven't patched since October 2025, stop reading and go do that. Then come back.

CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog Friday afternoon. US federal civilian agencies have until Monday, March 30 to assess exposure and mitigate. That's a 72-hour window. If you're in the private sector, the urgency is the same — the deadline just isn't mandatory.

How We Got Here

This vulnerability has a longer backstory than most.

F5 first disclosed CVE-2025-53521 on October 15, 2025, buried inside a larger admission: a China-linked nation-state threat actor had been inside F5's network for at least 12 months. During that access, the attackers exfiltrated BIG-IP source code and information about undisclosed vulnerabilities. F5 classified CVE-2025-53521 at the time as a denial-of-service flaw — disruptive, but not immediately terrifying.

That classification didn't hold.

In March 2026, F5 updated the advisory. New information changed the picture significantly: CVE-2025-53521 is a remote code execution vulnerability. CVSS scores are now 9.8 on v3.1 and 9.3 on v4.0. The attacker group, believed to be the same one that deployed the Brickstorm backdoor on customer systems, knew what they were sitting on.

What the Vulnerability Actually Does

The flaw lives in the `apmd` process — the component in BIG-IP APM that processes live traffic. When an access policy is configured on a virtual server, a specifically crafted malicious request can trigger arbitrary code execution on the underlying system. BIG-IP systems running in Appliance mode are also vulnerable.

Affected versions:

  • 17.5.0 to 17.5.1
  • 17.1.0 to 17.1.2
  • 16.1.0 to 16.1.6
  • 15.1.0 to 15.1.10

BIG-IP APM isn't a fringe product. It sits in front of apps, APIs, and data at enterprises, financial institutions, and government organizations. It's infrastructure. That's what makes this particularly bad.

What Exploitation Looks Like

F5 has published indicators of compromise, and some of what they've documented is worth reading closely.

Defenders should look for:

  • Specific files written to disk associated with "malicious software c05d5254"
  • Log entries showing a local user disabling the SELinux security module
  • Modifications to `sys-eicheck`, BIG-IP's own system integrity checker — the threat actor went out of their way to blind the host's tamper detection
  • Inbound and outbound HTTP/S traffic patterns documented in F5's advisory

The webshells are worth a specific callout. F5 confirmed webshells have been deployed — but noted they primarily operate in memory. That means file-based IOC scanning alone won't catch everything.

One detail from F5's write-up is telling: in at least one observed case, the threat actor modified components on the running partition, but failed to replicate those changes to the backup partition. When the customer upgraded and rebooted into the clean partition, the modifications didn't persist. The attacker missed a step. That's the kind of operational slip that happens when a campaign is running at scale.

CybrPulse Coverage

We've been tracking F5 BIG-IP and Brickstorm activity across our feeds since the original October disclosure. CybrPulse has logged 312 articles in that window — 74 in January, 92 in February, 127 in March so far. Coverage has been accelerating, tracking the escalation from "China stole source code" to "nation-state RCE in production infrastructure."

What You Need to Do

The patches F5 released in October 2025 address CVE-2025-53521. If you applied them then, you're covered. If you didn't, or you're unsure, the action items are:

  1. Patch immediately — October 2025 fixed versions remain valid
  2. Check F5's IOC advisory (K000160486) — look for the artifacts, log patterns, and SELinux disable events documented there
  3. Verify sys-eicheck integrity — if it's been modified, assume compromise and escalate
  4. Don't rely solely on file-based detection — the memory-resident webshells won't show up on a disk scan
  5. Inventory your exposed APM instances — anything internet-facing with an active access policy needs to be checked, not just patched

If you're a federal civilian agency, you have until Monday. If you're not, pretend you do.

*Sources: Help Net Security, The Hacker News, Security Affairs, CISA KEV Catalog, F5 Security Advisory K000156741 and K000160486*

Read more