ACCORDING to CISA, threat actors have been exploiting a critical remote code execution vulnerability in F5 BIG-IP, tracked as CVE-2025-53521, now classified as critical after an initial DoS disclosure in October 2025. The flaw carries a CVSS score of 9.3 and can be exploited on BIG-IP APM systems with an access policy configured on a virtual server, with the BIG-IP system in Appliance mode also affected.
F5 notes that CVE-2025-53521 impacts multiple versions, including 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6, and 15.1.0–15.1.10, and patches are available in 17.5.1[.]3, 17.1.3, 16.1.6[.]1 and 15.1.10[.]8. SecurityWeek reports that the vulnerability has been exploited in the wild, and that F5 has published indicators of compromise (IOCs) associated with the activity. Agencies are urged to patch within the three-day window in the KEV list and apply mitigations for all CVEs listed by CISA.