(TLP:CLEAR) Critical RCE Vulnerability in F5 Big-IP APM Under Active Exploitation (CVE-2025-53521)
Created: Monday, March 30, 2026 - 15:17
Categories: Cybersecurity, Security Preparedness
Summary: A known critical vulnerability in F5 BIG-IP Access Policy Manager (APM) is under active exploitation.
Upon discovery of active exploitation, F5 updated its advisory to confirm that the vulnerability has been exploited in the vulnerable BIG-IP versions. However, the company did not share any additional details on who may be behind the exploitation activity. F5 also published several indicators of compromise (IOCs) that can be used to assess whether the system has been compromised.
Analyst Comment: This remote code execution (RCE) vulnerability in F5 BIG-IP APM is especially dangerous because attackers can exploit it without needing log-in credentials. Since the system often sits at the edge of the network and controls remote access, a successful attack could permit an attacker to breach the system and move around undetected. For water utilities, this is concerning because once inside the IT network, attackers may be able to reach systems connected to OT.
WaterISAC strongly encourages members review F5’s advisory, and associated IOCs, for mitigation actions.
Members are urged to patch affected BIG-IP instances to the fixed versions immediately:
- 17.x: Move to 17.5.1.3 or 17.1.3
- 16.x: Move to 16.1.6.1
- 15.x: Move to 15.1.10.8
Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form.
Additional Reading: