CISA has issued an urgent warning regarding active exploitation of a critical remote code execution vulnerability, CVE-2025-53521, affecting F5’s BIG-IP Access Policy Manager enterprise security software.

Key points

• The vulnerability, CVE-2025-53521, carries a critical CVSS score of 9.8 and allows unauthenticated attackers to execute remote code on affected BIG-IP APM systems.
• Affected versions include BIG-IP APM 15.1.x through 17.5.x, which are widely used by government agencies, financial institutions, and large enterprises.
• Attackers linked to a nation-state actor have been observed deploying webshells and modifying system integrity checkers to maintain persistence within compromised networks.
• F5 released patches in October 2025, but the vulnerability was only recently re-categorized as an RCE following new evidence discovered in March 2026.
• CISA has mandated that all U.S. federal civilian agencies assess their systems for indicators of compromise and apply necessary mitigations by March 30, 2026.

This vulnerability poses a severe risk to critical infrastructure and government networks that rely on F5 systems for secure access management. Because the flaw was initially misidentified as a denial-of-service issue, organizations that delayed patching may remain vulnerable to sophisticated, long-term unauthorized access.