OVER 14,000 F5 BIG-IP APM instances remain exposed online as attackers actively exploit a critical remote code execution flaw, CVE-2025-53521, according to Shadowserver. The vulnerability allows specially crafted malicious traffic to trigger Remote Code Execution when an access policy is configured on a virtual server, and the flaw was reclassified from a DoS issue to an RCE flaw in March 2026.
Shadowserver reports fingerprinting over 14,100 IPs with BIG-IP APM fingerprints exposed, with the majority in the US, Europe and Asia. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to its Known Exploited Vulnerabilities (KEV) catalog at the end of March, and federal agencies were ordered to fix the vulnerability by 30 March 2026.
The advisory notes that software versions which have reached End of Technical Support are not evaluated, and F5 credited assistance from several organisations in the coordinated disclosure.