CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

Staff Editor 2026-03-28
CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html

Publish Date: 2026-03-28 03:07:00

Source Domain: thehackernews.com

Ravie LakshmananMar 28, 2026Vulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability in question is CVE-2025-53521 (CVSS v4 score: 9.3), which could allow a threat actor to achieve remote code execution.

“When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE),” according to a description of the flaw in CVE.org.

While the shortcoming was initially categorized and remediated as a denial-of-service (DoS) vulnerability with a CVSS v4 score of 8.7, F5 said it has been reclassified as a case of RCE in light of “new information obtained in March 2026.”

The company has since updated its advisory to confirm that the vulnerability “has been exploited in the vulnerable BIG-IP versions.” It did not share any additional details on who may be behind the exploitation activity.

However, F5 published a number of indicators that can be used to assess if the system has been compromised –

  • File-related indicators –
    • Presence of /run/bigtlog.pipe and/or /run/bigstart.ltm.
    • Mismatch of file hashes when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd.
    • Mismatch of file sizes or timestamps when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd.
    • Each release and EHF may have different file sizes and timestamps.
  • Log-related indicators –
    • An entry in “/var/log/restjavad-audit..log” showing a local user accessing the iControl REST API from localhost.
    • An entry in “/var/log/auditd/audit.log.” showing a local user accessing the iControl REST API from localhost to disable SELinux.
    • Log messages in “/var/log/audit” show the results of a command being run in the audit log.
  • Other TTPs observed include –
    • Modifications to…

Source

More Stories

Project Glasswing: Key cybersecurity agencies set to get access to Anthropic’s Mythos | Business News

Project Glasswing: Key cybersecurity agencies set to get access to Anthropic’s Mythos | Business News

Staff Editor 2026-06-06
Did Insight’s New AI Cybersecurity Service and Credit Tweaks Just Reframe Insight Enterprises’ (NSIT) Growth Story?

Did Insight’s New AI Cybersecurity Service and Credit Tweaks Just Reframe Insight Enterprises’ (NSIT) Growth Story?

Staff Editor 2026-06-06
OpenAI Introduces Lockdown Mode To Combat AI Data Exfiltration Risks Amid Growing Prompt Injection Threats

OpenAI Introduces Lockdown Mode To Combat AI Data Exfiltration Risks Amid Growing Prompt Injection Threats

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy