Attackers Exploit Critical F5 BIG-IP Flaw CVE-2025-53521 to Deploy Webshells on Unpatched Devices
Attackers are now actively exploiting a critical vulnerability in F5 BIG-IP Access Policy Manager (APM), prompting urgent warnings from F5 and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for organizations to patch immediately. The flaw, tracked as CVE-2025-53521, was initially described as a denial-of-service issue but has since been reclassified as remote code execution after F5 confirmed real-world attacks involving webshell deployment on unpatched systems.
According to the updated F5 advisory and the NVD record, the vulnerability affects BIG-IP systems when an APM access policy is configured on a virtual server. Under those conditions, specially crafted malicious traffic can trigger remote code execution. CISA has now added the flaw to its Known Exploited Vulnerabilities catalog, confirming active exploitation and elevating the issue from a high-priority patch item to an active incident-response concern.
The change in severity is significant. What was previously treated as a crash-style issue is now understood to be a bug attackers can use to execute code before authentication and drop webshells onto vulnerable appliances. That makes the flaw much more dangerous for edge devices sitting in front of remote access, authentication, and application delivery workflows. BleepingComputer reported that F5 and CISA both published indicators of compromise and emergency guidance after exploitation was confirmed.
The urgency is amplified by the size of the exposed attack surface. BleepingComputer reported that Shadowserver is tracking more than 240,000 BIG-IP instances exposed online. That figure does not mean all of them are vulnerable or exploitable in the same way, but it does show the sheer scale of internet-facing BIG-IP infrastructure that defenders may need to inventory and validate quickly.
CISA’s KEV entry and related reporting indicate that federal agencies were given a rapid remediation deadline after the flaw was listed as actively exploited. Multiple outlets reported that the required mitigation date was March 30, 2026, a sign of how seriously the U.S. government is treating the risk. For private-sector organizations, the KEV listing serves as a similarly strong signal: if patching has not happened yet, the exposure window is already too wide.
The concern around this bug is also shaped by F5’s broader security context. Researchers and industry observers have pointed out that BIG-IP vulnerabilities have attracted intense attention since F5 disclosed in 2025 that a nation-state actor had accessed portions of source code and internal vulnerability details. While that history does not itself prove how CVE-2025-53521 is being exploited today, it helps explain why defenders are assuming attackers can move very quickly from disclosure to weaponization. This is an inference based on public reporting and earlier F5 disclosures.
Operationally, this is the kind of edge-appliance flaw that can become a major foothold if ignored. A pre-auth RCE on BIG-IP APM can expose organizations to webshell persistence, session theft, traffic inspection opportunities, and follow-on lateral movement depending on how the device is deployed in the environment. That is an analytical conclusion based on the nature of the product and the confirmed use of webshells in attacks.
Organizations running BIG-IP APM should move immediately to identify exposed systems, apply F5’s fixes, review the vendor’s indicators of compromise, and inspect appliances for signs of webshells or unexpected changes. The current situation is no longer about theoretical risk. The flaw is being used in the wild, and the combination of active exploitation plus a massive exposed footprint means delayed patching could quickly turn into a full incident.
Reference Links and Sources
