The United States Cybersecurity & Infrastructure Security Agency has added an older vulnerability to its Known Exploited Vulnerabilities Catalog, with one security researcher calling the news of active exploitation of a flaw in F5 BIG-IP APM a “Big ‘yikes’ moment”.
CVE-2025-53521 was first disclosed by cloud security firm F5 in October 2025.
“This is an issue impacting BIG-IP APM systems,” F5 wrote at the time.
“This vulnerability allows an unauthenticated attacker to perform remote code execution. The BIG-IP system in Appliance mode is also vulnerable. This is a data plane issue; there is no control plane exposure.”
When first disclosed, the vulnerability was categorised as a denial of service issue, and given a CVSS score of 7.5.
Now, with remote code execution thrown into the mix, the CVE entry has been updated with a CVSS score of 9.8, making it a Critical-level issue, and one to address quickly, according to watchTowr CEO and founder Benjamin Harris.
“When F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn’t immediately signal urgency, and many system administrators likely prioritised it accordingly,” Harris told Cyber Daily on March 28.
“Fast forward to today's big ‘yikes’ moment: the situation has changed significantly. What we’re observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That’s a very different risk profile than what was initially communicated.
“Teams will be working quickly (and likely through the weekend) to patch exposed systems, but patching is only part of the equation. The immediate focus will be on determining whether this has already been exploited in their environments.”
CVE-2025-53521 impacts four versions of BIG-IP APM:
- affected from 17.5.0 before 17.5.1.3
- affected from 17.1.0 before 17.1.3
- affected from 16.1.0 before 16.1.6.1
- affected from 15.1.0 before 15.1.10.8
F5 has published an updated advisory with advice for network defenders.
“If you are running a version listed in the ‘Versions known to be vulnerable’ column, you can eliminate this vulnerability by installing a version listed in the ‘Fixes introduced in’ column. If the Fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends that you upgrade to a version with the fix,” F5 said.
“If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix.”
You can read F5’s full advisory here.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.