CVE-2025-53521: RCE Bug in F5 BIG-IP APM Under Active Exploitation

Published Date: March 30, 2026
Category: ShadowOpsIntel
Share:

CVE-2025-53521 is a critical unauthenticated Remote Code Execution (RCE) vulnerability in F5 BIG-IP Access Policy Manager (APM). It enables attackers to execute arbitrary commands on affected systems via specially crafted traffic targeting APM-enabled virtual servers. Originally misclassified as a DoS issue, it was reclassified in March 2026 as RCE (CVSS 9.8) after confirmed real-world exploitation and post-compromise malware activity.

Severity: Critical

Vulnerability Profile (Cve-2025-53521)

  • Cause: The vulnerability stems from improper handling of requests in the APM module, enabling execution paths that bypass expected controls (CWE-770).
  • Affected Component: The vulnerability resides within the apmd process.
  • Exploitation:
    • An unauthenticated attacker can send specific malicious traffic to a virtual server configured with an APM access policy to achieve RCE.
    • F5 confirmed: Active exploitation of vulnerable versions, deployment of malicious software c05d5254, use of of fileless techniques and system tampering.
    • Systems upgraded from a vulnerable to a fixed version may still be compromised, malware can persist post-upgrade.
  • Vulnerable Versions:
    • BIG-IP APM 17.x: 17.1.0–17.1.2 and 17.5.0–17.5.1.
    • BIG-IP APM 16.x: 16.1.0–16.1.6.
    • BIG-IP APM 15.x: 15.1.0–15.1.10.

Indicators Of Exploitation

  1. Files on Disk
    o Presence of /run/bigtlog.pipe and/or /run/bigstart.ltm
    o Hash/size/timestamp mismatch on /usr/bin/umount and/or /usr/sbin/httpd
  2. Suspicious Log Entries
    o restjavad-audit log: POST to /mgmt/tm/util/bash from local user f5hubblelcdadmin via iControl REST API
    o auditd log: SELinux enforcement disabled (setenforce 0) via systemd
    o audit log: Base64-encoded payloads written to disk and execution of /run/bigstart.ltm
  3. Command Output
    o sys-eicheck failures on umount / httpd
    o lsof -n showing open handles to /run/bigtlog.pipe
  4. Potentially Modified Web Files (presence alone not conclusive)
    o /var/sam/www/webtop/renderer/apm_css.php3
    o /var/sam/www/webtop/renderer/full_wt.php3
    o /var/sam/www/webtop/renderer/webtop_popup_css.php3

Recommendations

  1. Immediately upgrade affected BIG-IP APM to a fixed release: 17.5.1.3, 17.1.3, 16.1.6.1, or 15.1.10.8.
  2. If you have not upgraded to a fixed version or if you upgraded from a vulnerable BIG-IP version to a fixed BIG-IP version, F5 recommends reviewing the Indicators of Compromise in K000160486: https://my.f5.com/manage/s/article/K000160486
  3. If you suspect a security compromise on your BIG-IP system, review the following article: K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system.

Source:

  • https://my.f5.com/manage/s/article/K000156741
  • https://my.f5.com/manage/s/article/K000160486

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert