🔴 CVE-2025-53521

Critical remote code execution vulnerability in F5 BIG-IP APM that can be exploited via network traffic without authentication. BIG-IP systems are commonly deployed as internet-facing load balancers and application delivery controllers.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-10-15

Added to CISA KEV: 2026-03-27 163 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-03-27)

CVE-2025-53521 is a denial-of-service (DoS) vulnerability affecting F5 BIG-IP Access Policy Manager (APM). The vulnerability arises from a resource allocation issue (CWE-770) that occurs when an APM access policy is configured on a virtual server [1][2].

Here's a breakdown of what is known about its exploitation:

  • Internet-facing applications or services: The vulnerability affects F5 BIG-IP APM systems, which are often used to manage access to internet-facing applications and services [1][3]. Exploitation can lead to traffic disruption while the Traffic Management Microkernel (TMM) process restarts [3].
  • Evidence of active exploitation in the wild: There is no direct evidence in the provided search results indicating active exploitation of CVE-2025-53521 in the wild. However, F5 has disclosed a significant security incident involving a nation-state threat actor gaining access to its environment, which could potentially amplify the risk of zero-day exploits [4][5].
  • Attack vectors and exploitation methods: An attacker can exploit this vulnerability by sending specially crafted, undisclosed traffic to an affected virtual server configured with an APM access policy [1][7]. This traffic causes the TMM process to terminate and restart, leading to a denial-of-service condition [1][3]. The attack vector is described as "Network" with "Low" attack complexity and requiring "None" for privileges or user interaction [6].
  • Targeted attacks: While the vulnerability itself allows for a denial-of-service, the context of a nation-state actor having access to F5's environment and source code raises concerns about the potential for more sophisticated attacks, including targeted exploitation [4][5].
  • CISA Known Exploited Vulnerabilities status: CVE-2025-53521 is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) Catalog based on the provided search results [8][9].
  • Technical details about internet exploitability: The vulnerability is a resource allocation flaw (CWE-770) that can be triggered by sending specific network traffic to a BIG-IP APM virtual server [1][2]. This leads to the termination of the TMM process, which is responsible for data plane traffic [1][3]. The exploitability is characterized by a network attack vector, low complexity, and no required privileges or user interaction [6]. It is important to note that F5 only evaluates software versions that have not reached their End of Technical Support (EoTS) [3][10].

Sources

  1. K000156741: BIG-IP APM vulnerability CVE-2025-53521 - My F5

    (CVE-2025-53521) Impact Traffic is disrupted while the TMM process restarts. This vulnerability allows an unauthenticated attacker to cause a denial-of-service (DoS) on the BIG-IP APM system.1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of t…

  2. CVE Analysis | ZeroPath Security Blog - Vulnerability... | ZeroPath

    In-depth CVE analysis and vulnerability research from ZeroPath security experts. Understand critical vulnerabilities, exploit techniques, and mitigation strategies.Short review of CVE-2025-53521 affecting F5 BIG-IP APM: a denial of service flaw caused by resource allocation issues in specific versio…

  3. F5 BIG-IP APM CVE-2025-53521: Brief Summary of ... - ZeroPath

    CVE-2025-53521 is a resource allocation vulnerability classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw is present when a BIG-IP Access Policy Manager (APM) access policy is configured on a virtual server. If an attacker sends specially crafted but undisclosed tr…

  4. F5 BIG-IP Source Code Leak Tied to State-Linked Campaigns Using ...

    On October 15, 2025 , CISA issued Emergency Directive ED-26-01 , warning of an imminent threat to federal networks and ordering urgent inventory, hardening, and patching of affected F5 devices. The stolen code raises the risk of rapid 0-day discovery and weaponization against internet-exposed manage…

  5. FAQ on F5 Security Incident - Blog | Tenable®

    Frequently asked questions about the August 2025 security incident at F5 and the release of multiple BIG-IP product patches. ... Starting August 9 , 2025 , F5 learned that a nation-state threat actor gained and maintained access to certain systems within their environment. ... With access to vulnera…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed