The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added a crucial security flaw impacting F5 BIG-IP Entry Coverage Supervisor (APM) to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability in query is CVE-2025-53521 (CVSS v4 rating: 9.3), which might enable a menace actor to realize distant code execution.
“When a BIG-IP APM entry coverage is configured on a digital server, particular malicious visitors can result in Distant Code Execution (RCE),” in keeping with an outline of the flaw in CVE.org.
Whereas the shortcoming was initially categorized and remediated as a denial-of-service (DoS) vulnerability with a CVSS v4 rating of 8.7, F5 stated it has been reclassified as a case of RCE in mild of “new info obtained in March 2026.”
The corporate has since up to date its advisory to verify that the vulnerability “has been exploited within the susceptible BIG-IP variations.” It didn’t share any further particulars on who could also be behind the exploitation exercise.
Nevertheless, F5 printed a variety of indicators that can be utilized to evaluate if the system has been compromised –
- File-related indicators –
- Presence of /run/bigtlog.pipe and/or /run/bigstart.ltm.
- Mismatch of file hashes when in comparison with recognized good variations of /usr/bin/umount and/or /usr/sbin/httpd.
- Mismatch of file sizes or timestamps when in comparison with recognized good variations of /usr/bin/umount and/or /usr/sbin/httpd.
- Every launch and EHF might have completely different file sizes and timestamps.
- Log-related indicators –
- An entry in “/var/log/restjavad-audit.<NUMBER>.log” displaying a neighborhood consumer accessing the iControl REST API from localhost.
- An entry in “/var/log/auditd/audit.log.<NUMBER>” displaying a neighborhood consumer accessing the iControl REST API from localhost to disable SELinux.
- Log messages in “/var/log/audit” present the outcomes of a command being run within the audit log.
- Different TTPs noticed embrace –
- Modifications to the underlying elements that the system integrity checker, sys-eicheck, depends on, leading to a failure of the device, particularly /usr/bin/umount and/or /usr/sbin/httpd, indicating sudden modifications to the system software program as talked about above.
- HTTP/S visitors from the BIG-IP system that accommodates HTTP 201 response codes and CSS content-type to disguise the attacker’s actions.
- Modifications to the next three information, though their presence alone doesn’t sign a security problem –
- /var/sam/www/webtop/renderer/apm_css.php3
- /var/sam/www/webtop/renderer/full_wt.php3
- /var/sam/www/webtop/renderer/webtop_popup_css.php3
“We now have noticed instances of webshell being written to disk; nevertheless, the webshells have been noticed to work in reminiscence solely, which means the information listed above may not be modified,” F5 cautioned.
The problem impacts the next variations –
- 17.5.0 – 17.5.1 (Fastened in model 17.5.1.3)
- 17.1.0 – 17.1.2 (Fastened in model 17.1.3)
- 16.1.0 – 16.1.6 (Fastened in model 16.1.6.1)
- 15.1.0 – 15.1.10 (Fastened in model 15.1.10.8)
In mild of energetic exploitation, Federal Civilian Govt Department (FCEB) companies have been given till March 30, 2026, to use the fixes to safe their networks.
“When F5 CVE-2025-53521 first emerged final 12 months as a denial-of-service problem, it did not instantly sign urgency, and lots of system directors seemingly prioritized it accordingly,” watchTowr CEO and founder Benjamin Harris stated in a press release shared with The Hacker Information.
“Quick ahead to in the present day’s massive ‘yikes’ second: the scenario has modified considerably. What we’re observing now’s pre-auth distant code execution and proof of in-the-wild exploitation, with a CISA KEV itemizing to again it up. That is a really completely different threat profile than what was initially communicated.”
Defused Cyber, in an X submit, has additionally confirmed that it is seeing “acute scanning exercise” for susceptible F5 BIG-IP gadgets following the addition of CVE-2025-53521 to the KEV catalog.
“This actor is hitting /mgmt/shared/identified-devices/config/device-info which is a F5 BIG-IP REST API endpoint used to retrieve system-level info, corresponding to hostname, machine ID, and base MAC handle,” it stated.
