Back to Intelligence

CISA Adds Critical F5 BIG-IP Vulnerability to KEV Catalog: Action Required

SA
Security Arsenal Team
April 4, 2026
6 min read

CISA Adds Critical F5 BIG-IP Vulnerability to KEV Catalog: Action Required

The Cybersecurity and Infrastructure Security Agency (CISA) has added a new critical vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the active threat it poses to federal and commercial networks alike. This alert concerns CVE-2025-53521, an unauthenticated code execution vulnerability affecting F5 BIG-IP devices.

For defenders, this addition to the KEV Catalog is a significant signal. It means CISA has reliable intelligence that malicious cyber actors are actively exploiting this flaw in the wild. For organizations relying on F5 BIG-IP for traffic management and security, this is not just a routine patch cycle—it is an emergency that requires immediate attention to prevent potential compromise.

Technical Analysis

CVE-2025-53521 is a critical security flaw in F5 BIG-IP systems. Specifically, this vulnerability allows unauthenticated attackers to execute arbitrary code with elevated privileges. F5 BIG-IP devices are often positioned at the edge of the network, managing application delivery and security policies. A compromise of these devices provides attackers with a deep vantage point to intercept traffic, move laterally, or disrupt critical services.

According to CISA's Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability by the specified due dates. However, the risks extend far beyond the federal government. Any organization utilizing F5 BIG-IP infrastructure is a potential target.

Affected Products:

  • F5 BIG-IP (all versions carrying specific vulnerability checks)

Severity: Critical (Unauthenticated Code Execution)

Fix Details: F5 has released security advisories and patches addressing this vulnerability. Organizations must upgrade to fixed versions immediately.

Defensive Monitoring

To assist security teams in identifying potential exploitation attempts or verifying patch compliance, we have compiled the following detection rules and hunt queries.

SIGMA Detection Rules

These SIGMA rules can be deployed to SIEMs (like Splunk, Elastic, or QRadar) to detect suspicious activity associated with BIG-IP exploitation or administrative anomalies.

YAML
---
title: Suspicious F5 BIG-IP Configuration Change via Bash
id: a1b2c3d4-5678-90ab-cdef-123456789abc
status: experimental
description: Detects suspicious bash execution patterns often associated with exploitation of BIG-IP management interfaces.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/bin/bash'
    CommandLine|contains:
      - 'tmsh'
      - 'bigstart'
      - 'restjavad'
    CommandLine|re: '.*(curl|wget|nc|perl).*\|.*sh'
falsepositives:
  - Legitimate administrative management via CLI
level: high
---
title: Unusual Network Connection from BIG-IP Management Process
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
status: experimental
description: Detects outbound network connections initiated by the BIG-IP management plane process, which may indicate reverse shell activity.
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    Image|contains: '/restjavad'
    DestinationPort:
      - 4444
      - 8080
      - 443
    Initiated: 'true'
falsepositives:
  - Legitimate API calls to external configuration management tools
level: critical
---
title: Potential Web Shell Upload Activity via HTTP
id: c3d4e5f6-7890-12ab-cdef-345678901cde
status: experimental
description: Detects potential web shell upload attempts targeting BIG-IP traffic management interfaces.
references:
  - https://attack.mitre.org/techniques/T1505/
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  category: web_access
  product: apache
detection:
  selection:
    cs-method|contains:
      - 'POST'
      - 'PUT'
    cs-uri-query|contains:
      - 'tmui/login.jsp'
      - 'tmui/locallb/workspace'
    cs-uri-stem|re: '.*\.(jsp|php|sh)$'
falsepositives:
  - Unknown, requires tuning based on legitimate application traffic
level: high

KQL Queries for Microsoft Sentinel/Defender

Use these KQL queries to hunt for signs of compromise or verify system configurations related to F5 devices in your environment.

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious process execution on Linux endpoints hosting F5
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName has "bash" 
| where ProcessCommandLine has_any ("tmsh", "bigstart", "restjavad")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| order by Timestamp desc

// Correlate F5 Management Access with failed authentication attempts
Syslog
| where Facility == "local0" 
| where ProcessName contains "httpd"
| where SyslogMessage has "Authentication failed"
| project TimeGenerated, Computer, ProcessName, SyslogMessage
| summarize count() by Computer, bin(TimeGenerated, 1h)

Velociraptor VQL Hunt Queries

For organizations using Velociraptor for Digital Forensics and Incident Response (DFIR), these artifacts can help hunt for indicators of compromise on suspected BIG-IP appliances or Linux servers.

VQL — Velociraptor
-- Hunt for F5 BIG-IP specific configuration changes or suspicious scripts
SELECT FullPath, Size, ModTime, Mode
FROM glob(globs='/config/bigip.conf', '/var/log/audit/**')
WHERE ModTime > now() - 7d

-- Scan running processes for suspicious network connections or shells
SELECT Pid, Name, Exe, Username, Cwd, Cmdline
FROM pslist()
WHERE Name =~ 'bash' 
   AND Cmdline =~ '(curl|wget|perl).*\|.*sh'
   OR Exe =~ '/tmp'

Remediation Scripts

PowerShell: Verify F5 BIG-IP Device Status

This script can be used by administrators to query the version of F5 devices (via API or SSH) against known vulnerable versions.

PowerShell
# Note: This is a template for checking versions. 
# Ensure you have the F5 iControlREST module or appropriate SSH libraries.

$F5Devices = @("bigip1.domain.local", "bigip2.domain.local")
$VulnerableVersions = @("15.1.0", "14.1.2") # Example list, verify against official F5 advisory for CVE-2025-53521

foreach ($Device in $F5Devices) {
    Write-Host "Checking $Device..."
    # Example API Call logic would go here (using Invoke-RestMethod)
    # $Version = Get-F5Version -Device $Device
    
    # if ($Version in $VulnerableVersions) {
    #     Write-Warning "[ALERT] $Device is running vulnerable version: $Version"
    # } else {
    #     Write-Host "[OK] $Device is patched or running safe version."
    # }
}

Bash: Immediate Workaround Check

If immediate patching is not possible, use this script to check if specific mitigation controls (like disabling the management interface from the internet) are in place.

Bash / Shell
#!/bin/bash
# Check if Management Port is listening externally

echo "Checking Management Interface Exposure..."

# Check if port 443 is listening on non-loopback
if netstat -tuln | grep ':443' | grep -v '127.0.0.1' > /dev/null; then
    echo "[WARNING] Management interface appears exposed on external IP."
else
    echo "[INFO] Management interface does not appear to be listening externally."
fi

# Check for recent tmsh modifications
echo "Checking for recent tmsh config changes..."
find /config -name "bigip.conf" -mtime -1 -exec ls -l {} \;

Remediation

Given the active exploitation status, organizations must treat this with the highest priority.

  1. Patch Immediately: Apply the relevant updates provided by F5 Networks for CVE-2025-53521. Ensure you are upgrading to a version that explicitly addresses this CVE.
  2. Restrict Management Access: If patching is delayed, ensure the management interface of the BIG-IP device is not accessible from the internet. Restrict access to trusted internal IP ranges only via firewall rules or Access Control Lists (ACLs).
  3. Audit Logs: Review BIG-IP system logs for any suspicious configuration changes, failed login attempts, or unexpected bash process execution leading up to this alert.
  4. Reset Credentials: As a precautionary measure, if a device was unpatched during the active exploitation window, consider resetting admin credentials and rotating API tokens.

Executive Takeaways

CISA's addition of CVE-2025-53521 to the KEV Catalog is a stark reminder that perimeter infrastructure remains a prime target. Unauthenticated code execution vulnerabilities are the "keys to the kingdom" for attackers.

  • Risk: High. The vulnerability is being used in the wild.
  • Action: Patching is mandatory. Configuration mitigations (network restriction) are temporary stopgaps.
  • Compliance: This falls under BOD 22-01, meaning federal agencies have strict deadlines, but private sector entities should follow suit to maintain cyber resilience.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchwindowsmicrosoftf5-big-ipcisapatch-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action