Critical remote code execution vulnerability in F5 BIG-IP APM that can be exploited via network traffic without authentication. BIG-IP systems are commonly deployed as internet-facing load balancers and application delivery controllers.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2025-10-15
Added to CISA KEV: 2026-03-27 163 DAYS BETWEEN CVE AND KEV
CVE-2025-53521 is a resource allocation vulnerability classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw is present when a BIG-IP Access Policy Manager (APM) access policy is configured on a virtual server. If an attacker sends specially crafted but undisclosed traffic to the affected virtual server, the Traffic Management Microkernel (TMM) process will terminate and restart.
In-depth CVE analysis and vulnerability research from ZeroPath security experts. Understand critical vulnerabilities, exploit techniques, and mitigation strategies.Short review of CVE-2025-53521 affecting F5 BIG-IP APM: a denial of service flaw caused by resource allocation issues in specific versions. Includes affected versions, technical details, and vendor security context. ZeroPath CVE Analysis.
(CVE-2025-53521) Impact Traffic is disrupted while the TMM process restarts. This vulnerability allows an unauthenticated attacker to cause a denial-of-service (DoS) on the BIG-IP APM system.1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy.
On October 15, 2025 , CISA issued Emergency Directive ED-26-01 , warning of an imminent threat to federal networks and ordering urgent inventory, hardening, and patching of affected F5 devices. The stolen code raises the risk of rapid 0-day discovery and weaponization against internet-exposed management services. ... Compromise of internet-exposed BIG-IP management/services to gain code execution (risk amplified by stolen source and vuln intel).
Frequently asked questions about the August 2025 security incident at F5 and the release of multiple BIG-IP product patches. ... Starting August 9 , 2025 , F5 learned that a nation-state threat actor gained and maintained access to certain systems within their environment. ... With access to vulnerability reports and source code, the threat actor could use that information to develop exploits for issues that have not yet been patched or remediated.