ACCORDING to The National Cyber Security Centre (NCSC), UK organisations have been urged to immediately patch a critical vulnerability in F5’s BIG-IP Access Policy Manager (APM) that is currently under active exploitation. The NCSC said it is still working to understand UK impact and any cases of active exploitation affecting UK networks. The flaw is CVE-2025-53521 and could lead to remote code execution when a BIG-IP APM access policy is configured on a virtual server.
F5 initially classified the bug as a denial-of-service vulnerability with a CVSS of 7.5, but updated information in March 2026 re-categorised it as an RCE flaw with a score of 9.8. The US CISA added the CVE to its Known Exploited Vulnerabilities catalog and gave federal agencies until midnight on 30 March to patch.
F5 also advised customers to follow incident-handling guidelines, rebuild configurations from scratch if needed, and update to the latest product version, as failures to do so could leave systems exposed to compromise.