Back to Intelligence

Immediate Action Required: Patching F5 BIG-IP APM Against CVE-2025-53521

SA
Security Arsenal Team
April 4, 2026
5 min read

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw, tracked as CVE-2025-53521, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability impacts F5 BIG-IP Access Policy Manager (APM) and carries a CVSS v4 score of 9.3, indicating critical severity.

The addition to the KEV catalog is based on credible evidence of active exploitation in the wild. For defenders, this means the window between patching and compromise has effectively closed. Organizations relying on F5 BIG-IP APM for secure access must treat this as an immediate emergency.

Understanding the Risk

CVE-2025-53521 is an unauthenticated code execution vulnerability. In plain language, this means an attacker does not need valid credentials to exploit this flaw. If successful, they can execute arbitrary code with elevated privileges on the BIG-IP system.

Why is this critical for defenders? F5 BIG-IP devices often sit at the edge of the network, managing traffic for internal applications. A compromised BIG-IP device acts as a trusted bridge, allowing attackers to pivot laterally into the internal network, intercept traffic, or deploy ransomware. The fact that exploitation requires no authentication significantly lowers the barrier for threat actors.

Technical Analysis

  • CVE ID: CVE-2025-53521
  • Affected Product: F5 BIG-IP Access Policy Manager (APM)
  • CVSS v4 Score: 9.3 (Critical)
  • Impact: Unauthenticated Remote Code Execution (RCE)
  • CISA KEV Status: Added due to active exploitation

F5 BIG-IP APM provides flexible, high-performance clientless access to corporate networks. The vulnerability exists within the APM component. Successful exploitation allows an unauthenticated attacker to execute arbitrary system commands. This could lead to a complete system compromise.

F5 has released security advisories addressing this issue. Defenders must verify their specific build versions against the advisory to confirm if they are vulnerable. Mitigation typically involves upgrading to a Fixed version of BIG-IP software.

Defensive Monitoring

Since active exploitation is confirmed, IT and Security teams must hunt for indicators of compromise (IOCs) while the patching process is underway. Below are detection rules and queries for SIGMA, Microsoft Sentinel (KQL), and Velociraptor (VQL).

SIGMA Detection Rules

These rules focus on detecting suspicious process spawning behavior on the F5 TMOS (Linux-based) operating system, which is a common post-exploitation activity.

YAML
---
title: F5 BIG-IP Suspicious Shell Spawn from Web Server
id: 8c7d6e5f-4a3b-4c2d-9e1f-2a3b4c5d6e7f
status: experimental
description: Detects the web server process (httpd) spawning a shell on F5 BIG-IP, which is indicative of successful RCE exploitation.
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  - https://support.f5.com/csp/article/K00000000
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.execution
  - attack.t1059.004
  - attack.initial_access
  - attack.t1190
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/httpd'
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/ksh'
  condition: selection
falsepositives:
  - Authorized administrative troubleshooting
level: critical
---
title: F5 BIG-IP Suspicious File Access in Web Root
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects unusual file modification or access patterns within the F5 configuration or web directories by non-standard accounts.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026/03/29
tags:
  - attack.collection
  - attack.t1005
logsource:
  category: file_event
  product: linux
detection:
  selection:
    TargetFilename|contains:
      - '/config/'
      - '/var/log/'
      - '/www/'
  filter:
    User|contains:
      - 'root'
      - 'f5'
  condition: selection and not filter
falsepositives:
  - Legitimate F5 system administration
level: high

KQL for Microsoft Sentinel / Defender

If you are forwarding F5 logs (Syslog or audit logs) to Sentinel, use these queries to hunt for suspicious activity.

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious shell processes spawned by the httpd parent
Syslog
| where ProcessName contains "httpd"
| extend ParentProcessName = extract(@'ParentProcessName=(\S+)', 1, SyslogMessage)
| where ProcessName has_any ("sh", "bash", "dash", "tcsh")
| project TimeGenerated, Computer, ProcessName, ParentProcessName, SyslogMessage
| summarize count() by Computer, ProcessName, bin(TimeGenerated, 5m)

// Hunt for unexpected outbound connections from the F5 device
CommonSecurityLog
| where DeviceVendor == "F5 Networks"
| where RequestAction == "Accepted"
| where DestinationPort !in (443, 80, 53, 22) // Non-standard ports
| project TimeGenerated, DeviceAddress, DestinationIP, DestinationPort, SourceUserName
| take 100

Velociraptor VQL Hunt Queries

Use these VQL artifacts to hunt directly on the F5 BIG-IP endpoint if you have Velociraptor deployed or can run a temporary artifact collection.

VQL — Velociraptor
-- Hunt for suspicious processes where httpd is the parent
SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Ppid IN (
    SELECT Pid FROM pslist() WHERE Name =~ "httpd"
)
AND Name =~ "sh"

-- Hunt for recently modified files in configuration directories
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/config/**', '/var/log/**')
WHERE Mtime > now() - 24h
ORDER BY Mtime DESC

Bash Verification Script

Run this script on your F5 BIG-IP device to check the current version and patch status (requires tmsh access).

Bash / Shell
#!/bin/bash
# Check current F5 BIG-IP Version and Hotfix status
echo "Checking F5 BIG-IP Version..."
tmsh show sys version

echo "Checking for installed hotfixes..."
tmsh show sys software

echo "Checking for recent suspicious modifications to /var/log..."
find /var/log -mtime -1 -ls

Remediation

To protect your organization against CVE-2025-53521, Security Arsenal recommends the following immediate actions:

  1. Patch Immediately: Apply the fixes provided in the F5 Security Advisory for CVE-2025-53521. Upgrade to a version listed as "Fixed" in the advisory.
  2. Restrict Management Access: Ensure the management interface of BIG-IP devices is not accessible from the internet. Use strict firewall rules to limit access to internal management subnets only.
  3. Review APM Profiles: Audit your Access Policy Manager configurations to ensure no unnecessary services or policies are exposed to untrusted networks.
  4. Audit Logs: Conduct a thorough review of logs for the 48 hours prior to patching to identify any indicators of successful exploitation mentioned in the detection section above.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchwindowsmicrosoftf5-big-ipcisa-kevpatch-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
Immediate Action Required: Patching F5 BIG-IP APM Against CVE-2025-53521 | Security Arsenal | Security Arsenal