CVE- 2025-53521 is a vulnerability in F5 BIG-IP Access Policy Manager (APM) that was reclassified in 2026 from a denial-of-service issue to an unauthenticated remote code execution (RCE) vulnerability. The flaw is actively exploited, with exploitation occurring in vulnerable BIG-IP versions and CISA listing it in its Known Exploited Vulnerabilities catalog.
The CVSS score is 9.8, and exploitation is possible when an APM access policy is configured on a virtual server, allowing remote code execution without authentication under certain conditions. Affected releases include 17.5.0–17.5.1 (fixed in 17.5.1[.]3), 17.1.0–17.1.2 (fixed in 17.1.3), 16.1.0–16.1.6 (fixed in 16.1.6[.]1), and 15.1.0–15.1.10 (fixed in 15.1.10[.]8); organisations should upgrade branch-by-branch rather than seeking a single latest version.
Defenders are urged to identify internet-facing virtual servers with APM policies, patch promptly, and conduct compromise assessments before and after upgrading, as well as monitor for related scanning and unusual management endpoint access. according to CISA