CVE-2025-53521

CRITICAL 9.8

⚠️ CISA KEV

BigIP APM Vulnerability

CVSS Score

9.8

EPSS Score

19.9%

EPSS Percentile

95th

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE	CWE-121
Vendor	f5
Product	big-ip
Published	Oct 15, 2025
Last Updated	Mar 31, 2026

⚠️ Actively Exploited — Act Now

Get instant alerts for f5 big-ip

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2025-53521.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

F5 / BIG-IP

17.5.0 < 17.5.1.3 17.1.0 < 17.1.3 16.1.0 < 16.1.6.1 15.1.0 < 15.1.10.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

my.f5.com: https://my.f5.com/manage/s/article/K000156741 cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521

Credits

F5 would like to thank Kristian Vlaardingerbroek, Hugo Trippaers, and other people of Schuberg Philis; Bart Vrancken; Fox-IT; and the National Cyber Security Centre (NCSC) in the Netherlands for their assistance in investigating this issue and following the highest standards of coordinated disclosure.