Two CVSS 9.3 Vulns, One Weekend: F5 BIG-IP Under Active Exploitation, Citrix NetScaler Recon Underway

CybrPulse

CybrPulse

3 min read
Two CVSS 9.3 Vulns, One Weekend: F5 BIG-IP Under Active Exploitation, Citrix NetScaler Recon Underway

title: "Two CVSS 9.3 Vulns, One Weekend: F5 BIG-IP Under Active Exploitation, Citrix NetScaler Recon Underway"

slug: f5-bigip-cve-2025-53521-citrix-netscaler-cve-2026-3055-active-exploitation

tags: ["vulnerability", "F5", "BIG-IP", "Citrix", "NetScaler", "CISA", "CVE", "RCE"]

excerpt: "CVE-2025-53521 is being actively exploited in the wild. CISA's patch deadline for federal agencies is March 30 — that's Monday. CVE-2026-3055 on Citrix NetScaler is still in recon, but watchTowr says exploitation is imminent. Both are CVSS 9.3. Neither can wait until next week."

Two CVSS 9.3 vulnerabilities, both under active attacker attention, both disclosed this week. One is already being exploited. The other has threat actors fingerprinting targets right now. If you run F5 BIG-IP APM or Citrix NetScaler in any configuration — put down what you're doing.

F5 BIG-IP APM: CVE-2025-53521 — Active Exploitation, CISA Deadline Monday

CVE-2025-53521 is a remote code execution flaw in F5's BIG-IP Access Policy Manager (APM). CVSS v4 score: 9.3.

Here's the part that matters: CISA added it to the Known Exploited Vulnerabilities catalog Friday and ordered federal civilian agencies to patch by March 30. That's Monday.

The vulnerability triggers when a BIG-IP APM access policy is configured on a virtual server. Specific malicious traffic can reach the APM and execute arbitrary code on the underlying system. No authentication required from an external attacker's perspective — just reachable APM and the right packet.

What makes this worse: it was originally categorized as a denial-of-service bug with a CVSS of 8.7. F5 reclassified it as RCE in March 2026 after "new information" emerged. That "new information" appears to have been active exploitation.

F5 has published a solid set of IoCs. If you're not sure whether you're already compromised, here's what to check:

Filesystem:

  • Presence of `/run/bigtlog.pipe` and/or `/run/bigstart.ltm`
  • Hash or size mismatch on `/usr/bin/umount` and/or `/usr/sbin/httpd` vs. known-good versions

Logs:

  • Entries in `/var/log/restjavad-audit.*.log` showing a local user accessing the iControl REST API from localhost
  • Entries in `/var/log/auditd/audit.log` showing that same local user disabling SELinux via the iControl REST API

Behavioral:

  • HTTP/S traffic from the BIG-IP device showing HTTP 201 responses with CSS content-type — attackers are using this to camouflage C2 traffic
  • Modifications to `/var/sam/www/webtop/renderer/apm_css.php3`, `full_wt.php3`, and `webtop_popup_css.php3`

F5 also notes webshells are operating in-memory, so file modifications alone may not tell the full story.

Affected versions and fixes:

| Affected | Fixed In |

|----------|----------|

| 17.5.0 – 17.5.1 | 17.5.1.3 |

| 17.1.0 – 17.1.2 | 17.1.3 |

| 16.1.0 – 16.1.6 | 16.1.6.1 |

| 15.1.0 – 15.1.10 | 15.1.10.8 |

If you're on an affected version and the fix isn't deployed yet, F5 recommends restricting access to the BIG-IP management interface and APM virtual servers as an interim control.

Citrix NetScaler: CVE-2026-3055 — Recon Active, Exploitation Expected Soon

The F5 story is urgent. But while you're in patch mode, look at CVE-2026-3055 on Citrix NetScaler ADC and NetScaler Gateway. CVSS 9.3.

This one is a memory overread via insufficient input validation. Successful exploitation leaks sensitive information — potentially enough to facilitate further attacks. The catch: it requires the appliance to be configured as a SAML Identity Provider (SAML IDP). If yours isn't, your risk profile drops significantly. But if it is?

Defused Cyber flagged active recon this week: attackers are probing `/cgi/GetAuthMethods` across NetScaler honeypots to enumerate authentication methods — specifically looking for SAML IDP configurations. watchTowr independently confirmed the same pattern across their honeypot infrastructure and was blunt about it: "When attacker reconnaissance shifts to active exploitation, the window to respond will evaporate."

This is the pre-exploitation phase. They're building target lists.

Affected versions:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262

For context on how seriously to take Citrix vulns: CVE-2023-4966 (Citrix Bleed), CVE-2025-5777 (Citrix Bleed 2), and CVE-2025-6543 all went from disclosure to mass exploitation within days to weeks. The pattern holds.

Bottom Line

Two CVSS 9.3 bugs. Both are products commonly deployed as internet-facing access control infrastructure — exactly what targeted threat actors prioritize.

For F5: patch before Monday, run the IoC checks above today, and assume compromise if you're on a vulnerable version that's been externally accessible. The in-memory webshell behavior means standard file integrity checks may miss an active intrusion.

For Citrix: if you're running a SAML IDP configuration, treat this as active and patch now — don't wait for exploitation confirmation. The recon phase is the warning shot.

CybrPulse tracked both CVEs across 93 security stories published in the last 12 hours. These two were the highest-scored for actionability and severity. Patch windows this tight don't come around often — and neither do simultaneous CVSS 9.3 advisories on the same infrastructure class.

Read more