On 28 March 2026, F5 updated its security advisory for a vulnerability impacting BIG-IP APM that was originally disclosed in October 2025 (CVE-2025-53521). The vulnerability was initially classified as a medium-severity denial-of-service (DoS) issue but has been reclassified as a critical remote code execution (RCE) vulnerability. F5 has stated CVE-2025-53521 is being exploited by unauthenticated remote threat actors to deploy web shells. The flaw arises from improper handling of crafted traffic in the APM component when an access policy is attached to a virtual server.
Further details on exploitation remain limited. CVE-2025-53521 is a data plane issue with no control plane exposure, and internet-exposed APM virtual servers are at the highest risk. The original fixes released in October 2025 are reported to mitigate the now-documented RCE vector.
Arctic Wolf has not identified a publicly available proof-of-concept (PoC) exploit. Due to the level of access, a threat actor could obtain and the widespread use of this internet-facing edge device, increased opportunistic targeting is likely.
Recommendation for CVE-2025-53521
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| BIG-IP APM (15.1.x) | 15.1.0–15.1.10 | 15.1.10.8 |
| BIG-IP APM (16.1.x) | 16.1.0–16.1.6 | 16.1.6.1 |
| BIG-IP APM (17.1.x) | 17.1.0–17.1.2 | 17.1.3 |
| BIG-IP APM (17.5.x) | 17.5.0–17.5.1 | 17.5.1.3 |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
