CVE-2025-53521
Description
CVE-2025-53521 is a critical RCE vulnerability in F5 BIG-IP APM with a 9.8 CVSS score. Actively exploited; immediate patching is required for affected systems.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| big-ip_access_policy_manager | 15.1.0 | 15.1.10.8 | vulnerable |
| big-ip_access_policy_manager | 16.1.0 | 16.1.6.1 | vulnerable |
| big-ip_access_policy_manager | 17.1.0 | 17.1.3 | vulnerable |
| big-ip_access_policy_manager | 17.5.0 | 17.5.1.3 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Download and install the latest security updates from the F5 Support portal immediately to patch the Remote Code Execution vulnerability in the BIG-IP Access Policy Manager.
Update affected systems
Ensure your BIG-IP environment is running version 15.1.10.8, 16.1.6.1, 17.1.3, 17.5.1.3, or later, as these versions contain the necessary fixes for the identified vulnerability.
Restrict access
Minimize exposure by restricting network access to virtual servers with active APM policies and ensuring that the BIG-IP management interface is isolated from the public internet.
Monitor for exploitation
Audit system logs for unusual traffic patterns, unexpected Traffic Management Microkernel (TMM) restarts, or unauthorized configuration changes that may indicate an attempted or successful exploit.
Detection Guidance
Security teams should monitor BIG-IP logs for signs of stack-based buffer overflows (CWE-121) or anomalous HTTP requests directed at the Access Policy Manager. Watch for unexpected process crashes in the 'tmm' service and investigate any unauthorized file creation or administrative activity. Since this is a network-based attack, deploy network signatures to detect malformed packets or suspicious payloads targeting virtual servers where APM access policies are enabled.