ACCORDING to The U.S. Cybersecurity and Infrastructure Security Agency (CISA), a flaw in F5 BIG-IP AMP has been added to its Known Exploited Vulnerabilities catalog, tracked as CVE-2025-53521 with a CVSS v3.1 score of 9.8. The vulnerability in BIG-IP APM allows specially crafted malicious traffic to trigger Remote Code Execution when an access policy is enabled on a virtual server.
It was previously classified as a Denial-of-Service issue and has been reclassified as a critical Remote Code Execution flaw based on new findings in March 2026.
The advisory notes that the flaw has been exploited in vulnerable BIG-IP versions, and it quotes vendor guidance that “we have learned that this vulnerability has been exploited in the vulnerable BIG-IP versions below.” F5 thanks Schuberg Philis, Bart Vrancken, Fox-IT, and the Dutch NCSC for their assistance in investigating the issue, as federal agencies are instructed to address the vulnerability by March 30, 2026 under Binding Operational Directive 22-01.