FORTINET has reclassified CVE-2025-53521 from a high-severity DoS flaw to a remote code execution vulnerability, with a 9.8 CVSS score, and it is currently under exploitation in the wild. The flaw was first disclosed on 15 October as a DoS bug affecting BIG-IP Access Policy Manager, but new information obtained in March 2026 led to the RCE categorisation, according to Fortinet's updated advisory.
Dark Reading notes that the US CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on Friday, and Fortinet warns the flaw has been actively exploited. A threat actor can exploit the vulnerability by sending specific malicious traffic to virtual servers configured with BIG-IP AMP, which would grant RCE capabilities, with several BIG-IP AMP versions listed as vulnerable.
Fortinet urged customers to upgrade to a fixed version and cautioned that systems running in appliance mode remain susceptible, while Defused has published IoCs and related indicators of compromise for the exploitation activity.