Vulnerability affecting F5 BIG-IP APM
The NCSC has issued an urgent alert regarding CVE-2025-53521, an actively exploited, unauthenticated remote code execution vulnerability in F5 BIG-IP Access Policy Manager (APM). Organizations are strongly advised to investigate for compromise using vendor-provided indicators, apply updates immediately, and potentially rebuild affected systems if evidence of compromise is found.
Authors: NCSC
Source:
NCSC
Key Takeaways
- An unauthenticated remote code execution (RCE) vulnerability (CVE-2025-53521) affects F5 BIG-IP Access Policy Manager (APM).
- F5 has confirmed active exploitation of this vulnerability in the wild.
- The vulnerability is triggered by specific malicious traffic when an APM access policy is configured on a virtual server.
- Organizations are urged to take immediate action to isolate, investigate, and update affected systems.
- If compromise is suspected, affected systems should be erased, rebuilt as new, and reported to incident response authorities.
Affected Systems
- F5 BIG-IP Access Policy Manager (APM)
Vulnerabilities (CVEs)
- CVE-2025-53521
Attack Chain
Attackers exploit an unauthenticated remote code execution vulnerability (CVE-2025-53521) in F5 BIG-IP APM by sending specific malicious traffic to a virtual server configured with an APM access policy. Successful exploitation allows the attacker to execute arbitrary code on the affected device. This can lead to full system compromise, requiring complete rebuilds of the affected infrastructure to ensure eradication.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The NCSC alert does not contain specific detection rules, but references F5's official security advisory and published Indicators of Compromise for investigation.
Detection Engineering Assessment
EDR Visibility: Low — F5 BIG-IP appliances are typically closed-box network devices where standard EDR agents cannot be easily deployed or supported. Network Visibility: High — The vulnerability is triggered via specific malicious network traffic hitting the virtual server, making network-based detection (IDS/IPS/WAF) the primary visibility point. Detection Difficulty: Moderate — Detecting the initial exploit requires specific network signatures for the malicious traffic. Post-exploitation detection relies on monitoring anomalous behavior on the appliance itself, which can be challenging without native EDR.
Required Log Sources
- Network traffic logs
- Web Application Firewall (WAF) logs
- F5 BIG-IP system logs (audit, LTM, APM)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for anomalous administrative commands or unexpected shell execution originating from the F5 BIG-IP APM processes. | F5 system logs, Syslog | Execution | Low |
Control Gaps
- Lack of EDR support on proprietary network appliances
- Visibility into encrypted traffic terminating at the load balancer
Key Behavioral Indicators
- Unexpected child processes spawned by APM services
- Anomalous configuration changes on the BIG-IP device
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Isolate the affected system(s) and replace with a new, fully up-to-date system.
- Update to the latest version of the F5 BIG-IP APM product.
- Investigate for evidence of compromise following F5's published Indicators of Compromise.
Infrastructure Hardening
- Apply appropriate security hardening to F5 appliances.
- Erase, destroy, and rebuild affected systems as new if compromise is suspected or full investigation isn't possible.
User Protection
- N/A
Security Awareness
- Report confirmed compromises to the NCSC and the vendor.
- Engage an assured Cyber Incident Response provider if compromised.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application