A flaw in F5 BIG-IP Access Policy Manager has been reclassified as an unauthenticated remote code execution vulnerability after initial reports labelled it a denial of service issue, tracked as CVE-2025-53521 with a CVSS score of 9.8. The UK National Cyber Security Centre has urged organisations to apply patches immediately after confirming active exploitation in the wild. Details are available in the vendor’s security advisory F5 article and the NCSC alert NCSC guidance.
The vulnerability was first disclosed in October 2025 as a denial of service flaw with a CVSS rating of 7.5 but was updated in March 2026 to reflect unauthenticated remote code execution when an APM access policy is configured on a virtual server. Affected releases include 17.5.0 through 17.5.1, 17.1.0 through 17.1.2, 16.1.0 through 16.1.6 and 15.1.0 through 15.1.10, with patches issued in 17.5.1.3, 17.1.3, 16.1.6.1 and 15.1.10.8 respectively. Further technical details can be found in the NVD entry NVD page and the SecurityWeek analysis SecurityWeek article.
F5’s updated advisory outlines the fixed versions for each branch and confirms that the issue is being tracked by the US Cybersecurity and Infrastructure Security Agency, which added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog and set a deadline of 30 March for federal agencies to apply updates. The UK NCSC has reiterated the warning, noting that it is still assessing any impact on British networks. Coverage from industry outlets includes the Infosecurity Magazine piece Infosecurity article, the Dark Reading report Dark Reading story and the Hacker News notice Hacker News post.
Although no specific threat actor has been linked to the activity, security researchers have observed exploitation attempts targeting unpatched BIG-IP systems with APM policies enabled, consistent with the indicators of compromise released by F5. The addition to the KEV catalogue highlights the severity of the threat and reflects confirmed use in the wild. More information on the exploitation timeline is available via the SOC Radar summary SOC Radar report.
Defenders should prioritise upgrading to the patched versions for their respective release branch, as running unsupported releases leaves the system exposed. Where immediate patching is not possible, administrators can restrict access to the virtual server interface, apply network segmentation and monitor logs for the IOCs shared by the vendor. The F5 advisory includes concrete detection rules and recommended mitigation steps in the same article.
Organisations are encouraged to consult the NCSC’s vulnerability management guidance, maintain an inventory of affected devices and verify that patching completes without disrupting critical services. Staying informed through official channels helps ensure that any future developments are addressed promptly. The NCSC resource centre provides additional advice here.