Back to Intelligence

CVE-2025-53521: F5 BIG-IP Unauthenticated RCE — Detection and Emergency Hardening

SA
Security Arsenal Team
April 12, 2026
5 min read

Introduction

On March 27, 2026, CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation of a critical security flaw in F5 BIG-IP systems. This vulnerability allows unauthenticated remote code execution (RCE), providing malicious actors with a direct pathway to compromise network infrastructure. Given the privileged position of BIG-IP devices in data centers—often sitting at the perimeter and handling decrypted traffic—this is not a standard application bug; it is a potentially catastrophic network breach.

Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability by the deadline set in Binding Operational Directive (BOD) 22-01. However, the risk extends far beyond the federal government. Any organization utilizing BIG-IP ADW, APM, ASM, or LTM modules is currently in the crosshairs.

Technical Analysis

Affected Products: F5 BIG-IP (all physical, virtual, and VIPRION editions).

CVE Identifier: CVE-2025-53521

CVSS Score: 9.8 (Critical)

Vulnerability Mechanics: The vulnerability resides in the traffic management interface (specifically the REST API or TMUI components, depending on the specific undisclosed vector). It allows an attacker to send a specially crafted HTTP request to the management interface (self-IPs or port 443). Because the device trusts this input implicitly, the request bypasses authentication checks and executes arbitrary commands with root privileges on the underlying Linux-based operating system (TMOS).

Exploitation Status: CISA has confirmed evidence of active exploitation. Attackers are leveraging this vulnerability to gain initial access, drop webshells, and move laterally into internal networks. The attack chain is typically:

  1. Reconnaissance: Scanning for open BIG-IP management ports (443/8443).
  2. Exploitation: Sending unauthenticated malicious HTTP payloads.
  3. Execution: Spawning a reverse shell or writing a persistence mechanism (cron job or modified binary).
  4. Lateral Movement: Using the BIG-IP as a jump box to attack internal servers.

Detection & Response

Due to the severity of active exploitation, defenders must assume that scans and exploitation attempts are already occurring.

Sigma Rules

YAML
---
title: F5 BIG-IP Potential Exploit - Management Interface Access
id: 8a4b2c1d-3e5f-4a6b-9c8d-1e2f3a4b5c6d
status: experimental
description: Detects suspicious access patterns to F5 BIG-IP management interfaces often associated with CVE-2025-53521 exploitation attempts, specifically targeting REST or TMUI endpoints.
references:
  - https://www.cisa.gov/news-events/alerts/2026/03/27/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/03/27
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: webserver
  product: nginx
detection:
  selection:
    c-uri|contains:
      - '/mgmt/tm/util/bash'
      - '/mgmt/shared/authn/login'
      - '/tmui/login.jsp'
    c-uri|contains:
      - 'command'
      - 'exec'
  condition: selection
falsepositives:
  - Legitimate administrative API usage from known internal blocks
level: critical
---
title: Linux Root Shell Spawned by Web Server - Potential BIG-IP Exploit
id: 9c5d3e2f-4a6b-7c8d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects the execution of a shell (bash/sh) spawned by the F5 BIG-IP web server process (httpd), which is highly indicative of successful RCE exploitation.
references:
  - https://www.cisa.gov/news-events/alerts/2026/03/27/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/03/27
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/httpd'
    Image|endswith:
      - '/bash'
      - '/sh'
    UserName: 'root'
  condition: selection
falsepositives:
  - Authorized administrative troubleshooting (rare)
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious URI paths in F5 BIG-IP logs (via Syslog/CEF)
// Adjust 'Computer' or 'DeviceVendor' based on your ingestion format
Syslog
| where ProcessName contains "nginx" or SyslogMessage contains "BIG-IP"
| extend EventData = parse_(SyslogMessage) // If using CEF/JSON ingestion
| where SyslogMessage has_any("/mgmt/tm/util/bash", "/tmui/login.jsp", "command=run")
| project TimeGenerated, Computer, HostName, SyslogMessage, ProcessName
| extend Timestamp = TimeGenerated


// Hunt for process creation indicative of web shell activity on Linux endpoints
DeviceProcessEvents 
| where InitiatingProcessFileName =~ "httpd" 
| where FileName in~ ("bash", "sh", "nc", "perl", "python")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine

Velociraptor VQL

VQL — Velociraptor
-- Hunt for unexpected child processes of the BIG-IP httpd daemon
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid AS ParentPid, Parent.Name AS ParentName, CreateTime
FROM pslist()
WHERE Parent.Name =~ "httpd"
  AND Name =~ "(bash|sh|nc|perl|python|telnet)"
LIMIT 100

Remediation Script (Bash)

Run this script on the BIG-IP device to verify the current version and check for the presence of common webshells or suspicious users.

Bash / Shell
#!/bin/bash
# F5 BIG-IP Emergency Check for CVE-2025-53521 Indicators
# Run as root

echo "[*] Checking BIG-IP Version..."
tmsh show sys version | grep "Version"

echo "[*] Checking for recent modifications to /config/httpd/conf (Potential Webshells)..."
find /config/httpd -name ".jsp" -o -name ".php" -mtime -1

echo "[*] Checking for suspicious cron jobs..."
crontab -l -u root

echo "[*] Listing active network connections for reverse shells..."
netstat -antp | grep ESTABLISHED | grep -v "443\|80\|22"

echo "[*] Checking for recently added users..."
grep ":[0-9]_[0-9]:[0-9]:::" /etc/passwd

echo "[!] Verification Complete. If anomalies found, initiate Incident Response."

Remediation

Given the confirmed active exploitation, remediation must be treated as an emergency incident response activity rather than standard patch management.

  1. Immediate Patching:

    • Upgrade to the latest F5 BIG-IP software version. Check the official F5 Security Advisory for CVE-2025-53521 for the specific fixed versions (typically Q2 2026 or later hotfixes).
    • Vendor Advisory: F5 Security Advisory (Placeholder link specific to the CVE).

  2. Network Isolation (Emergency Control):

    • Restrict management interface access (Port 443/TCP and 8443/TCP) strictly to trusted internal subnets. Block access to the management interface from the internet immediately.
    • Ensure Self-IPs are not configured with "Port Lockdown" set to "Allow All" unless strictly necessary.

  3. Configuration Hardening:

    • Disable the REST API if not explicitly required for operations, or restrict it to specific source IP ranges using AFM (Advanced Firewall Manager) or the Management Port allow-list.

  4. CISA Deadline:

    • Per BOD 22-01, FCEB agencies must remediate this vulnerability by the deadline specified in the KEV entry (typically within weeks of catalog addition).

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchzero-dayf5-big-ipcve-2025-53521rcecisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action