CISA Adds One Known Exploited Vulnerability to Catalog
CISA has added CVE-2025-53521, a Remote Code Execution vulnerability affecting F5 BIG-IP, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. All organizations are strongly urged to prioritize timely remediation to reduce exposure to cyberattacks.
Authors: CISA
Source:
CISA
Key Takeaways
- CISA added CVE-2025-53521, an F5 BIG-IP Remote Code Execution (RCE) vulnerability, to the Known Exploited Vulnerabilities (KEV) Catalog.
- There is confirmed evidence of active exploitation of this vulnerability in the wild.
- Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability per Binding Operational Directive (BOD) 22-01.
- All organizations are strongly urged to prioritize timely remediation of this vulnerability to reduce exposure to cyberattacks.
Affected Systems
- F5 BIG-IP
Vulnerabilities (CVEs)
- CVE-2025-53521
Attack Chain
Threat actors are actively exploiting CVE-2025-53521, a Remote Code Execution vulnerability in F5 BIG-IP systems. Successful exploitation allows attackers to execute arbitrary code on the affected public-facing devices, potentially leading to full system compromise and unauthorized network access.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the CISA alert.
Detection Engineering Assessment
EDR Visibility: Low — F5 BIG-IP devices are proprietary network appliances that generally do not support standard endpoint detection and response (EDR) agent installations. Network Visibility: High — Exploitation of an edge device like F5 BIG-IP typically involves anomalous inbound network traffic and potentially anomalous outbound connections post-exploitation. Detection Difficulty: Moderate — Without specific exploit payload details, detection relies on identifying anomalous administrative access, unexpected shell execution, or unusual network traffic patterns targeting the F5 appliance.
Required Log Sources
- Network flow logs
- Web Application Firewall (WAF) logs
- F5 BIG-IP system and access logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for anomalous inbound network requests to F5 BIG-IP management or traffic interfaces that deviate from normal baseline traffic, indicating potential exploitation attempts. | Network flow logs, WAF logs | Initial Access | Medium |
Control Gaps
- Lack of EDR telemetry on proprietary network appliances
Key Behavioral Indicators
- Unexpected child processes spawned by F5 BIG-IP web services
- Anomalous configuration changes on the F5 device
- Unusual outbound network connections originating from the F5 appliance
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Apply the latest security patches or mitigations provided by F5 for CVE-2025-53521 immediately.
Infrastructure Hardening
- Restrict access to the F5 BIG-IP management interface to trusted internal IP addresses only.
- Implement Web Application Firewall (WAF) rules to block known exploit patterns if available.
User Protection
- N/A
Security Awareness
- Ensure vulnerability management teams are tracking CISA KEV additions and prioritizing them according to BOD 22-01 guidelines.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application