F5 BIG-IP Critical RCE Exploited in the Wild After Five-Month Misclassification

• .What: Unauthenticated remote code execution in F5 BIG-IP Access Policy Manager via the apmd process, originally misclassified as denial-of-service.
• .Who: Any organization running BIG-IP APM with an access policy configured on a virtual server. Affected versions: 17.5.0 through 17.5.1, 17.1.0 through 17.1.2, 16.1.0 through 16.1.6, and 15.1.0 through 15.1.10.
• .How: Specially crafted malicious traffic sent to a BIG-IP APM virtual server with an access policy configured triggers remote code execution in the apmd process without authentication.
• .Data: Webshell deployment enables full system compromise - attackers gain access to all traffic transiting the BIG-IP, including authentication credentials, session tokens, and potentially all data passing through the reverse proxy.
• .Actor: Exploitation confirmed in the wild. No specific threat actor has been publicly attributed to the CVE-2025-53521 exploitation campaign by F5 or CISA. Separately, UNC5221 (China-nexus) is attributed to the October 2025 F5 corporate breach that yielded BIG-IP source code.
• .Impact: 240,000+ BIG-IP instances exposed online. CISA KEV and Emergency Directive ED-26-01 both in effect for federal agencies. UK NCSC, Dutch NCSC, New Zealand NCSC, and Canadian Cyber Centre all issued advisories.

On October 15, 2025, F5 published security advisory K000156741 addressing CVE-2025-53521 as a denial-of-service vulnerability with a CVSS v3.1 score of 7.5 and a CVSS v4.0 score of 8.7. The flaw affected the apmd process in BIG-IP Access Policy Manager - the component that processes live authentication and access control traffic.

F5 released patches across all affected version branches: 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8.

That same day, F5 disclosed a separate but related event: a "highly sophisticated nation-state threat actor" had breached F5's internal systems, exfiltrating portions of BIG-IP source code and information about undisclosed vulnerabilities.

F5 detected the unauthorized access on August 9, 2025, but delayed public disclosure at the direction of the U.S. Department of Justice under Form 8-K Item 1.05(c), citing risks to national security. Bloomberg reported the attackers maintained access for at least 12 months.

CISA responded by issuing Emergency Directive ED-26-01, ordering all Federal Civilian Executive Branch agencies to inventory every F5 product on their networks, restrict management interface exposure, and apply all available patches.

Five months later, in March 2026, F5 obtained new information that fundamentally changed the risk calculus. F5 stated: "This known vulnerability was previously categorized and remediated as a Denial-of-Service (DoS) vulnerability.

Due to new information obtained in March 2026, the original vulnerability is being re-categorized to an RCE." The CVSS scores were elevated from 7.5/8.7 to 9.8/9.3. F5 confirmed active exploitation and published indicators of compromise under supplemental document K000160486. The original patches released in October 2025 address both the DoS and RCE conditions, meaning organizations that patched promptly in October are protected.

Organizations that delayed patching operated with an exposed attack surface far more dangerous than they understood.

CISA added CVE-2025-53521 to the Known Exploited Vulnerabilities catalog on March 27, 2026, with a remediation deadline of March 30 under BOD 22-01. The UK National Cyber Security Centre published its own advisory on March 30, 2026, stating it was investigating UK impact and potential cases of active exploitation on UK networks.

" F5 credited Schuberg Philis, Bart Vrancken, Fox-IT, and the Dutch NCSC for their help investigating the issue and ensuring coordinated disclosure. New Zealand's NCSC and Canada's Cyber Centre also issued advisories.

Defused Cyber reported "acute scanning activity" targeting /mgmt/shared/identified-devices/config/device-info - an F5 BIG-IP REST API endpoint - following the KEV listing.

watchTowr CEO Benjamin Harris stated: "What we're observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up.

THE BROADER CONTEXT: F5 CORPORATE BREACH

The October 2025 F5 corporate breach is a separate but related event that gives CVE-2025-53521 its urgency. Open-source reporting and forensic indicators tie the breach to UNC5221, a China-nexus threat cluster.

Resecurity published detailed analysis linking the intrusion to Brickstorm, a Go-based ELF backdoor with SOCKS proxy capabilities designed for deployment on network edge appliances.

CISA, NSA, and the Canadian Centre for Cyber Security published Malware Analysis Report AR25-338A on December 4, 2025, with an update on December 19 adding indicators for Rust-based Brickstorm variants.

The circumstantial connection is straightforward: a sophisticated adversary with BIG-IP source code and vulnerability intelligence gained the ability to perform static and dynamic analysis for identifying logical flaws and zero-day exploits.

Five months later, a vulnerability originally classified as DoS was reclassified as unauthenticated RCE with active exploitation. No authoritative source has confirmed a direct causal link between the source code theft and the CVE-2025-53521 reclassification.

We note this gap, but the risk model demands that defenders treat them as connected until proven otherwise.

BIG-IP Access Policy Manager sits at the authentication boundary of enterprise networks. A compromised BIG-IP APM device exposes:

• .Authentication credentials: usernames, passwords, SAML tokens, Kerberos tickets, and certificate-based authentication data for every user authenticating through the device
• .Session tokens and cookies: for all applications behind the reverse proxy
• .Multi-factor authentication bypass: the attacker operates from a position behind the MFA enforcement point
• .Network traffic in transit: all HTTP/S traffic passing through the virtual server, including API calls, form submissions, and file transfers
• .Internal network topology: the BIG-IP has direct visibility into backend server addresses, health check configurations, and application architecture
• .VPN configurations: remote access credentials if BIG-IP APM is used as the organization's VPN gateway
• .SSL/TLS private keys: stored on the device, enabling decryption of intercepted traffic
• .Active Directory and LDAP credentials: integration credentials used for authentication backend connectivity

" This means traditional file integrity monitoring would not detect the compromise. The attackers also tampered with sys-eicheck, BIG-IP's built-in system integrity checker, specifically to evade detection.

1. Misclassification at disclosure. F5 initially assessed CVE-2025-53521 as a denial-of-service condition (CVSS v3.1: 7.5) rather than remote code execution (CVSS v3.1: 9.8). Organizations that triaged based on the DoS classification may have deprioritized patching.

A 7.5 DoS flaw competes for resources differently than a 9.8 unauthenticated RCE in most vulnerability management programs.

2. Five-month exposure window.

The vulnerability was disclosed and patched in October 2025. Active exploitation was confirmed in March 2026. Organizations that did not patch within that window - whether due to the lower severity rating, change management delays, or operational concerns about patching critical infrastructure - were exposed to unauthenticated RCE for up to five months.

3. Internet-exposed data plane. Shadowserver tracks over 240,000 BIG-IP instances with their management or data plane interfaces reachable from the public internet.

CVE-2025-53521 is a data plane vulnerability, meaning it is exploitable through the virtual server handling legitimate traffic - not just through the management interface. This makes network segmentation of the management plane insufficient as a mitigation.

4. Integrity monitoring subversion. The attackers specifically modified sys-eicheck, the BIG-IP system integrity checking tool. This means the device's own diagnostic capabilities were compromised, rendering self-assessment unreliable.

Organizations that relied on BIG-IP's built-in integrity verification to confirm they were not compromised may have received false assurance.

5. Memory-only persistence. Webshells operating exclusively in memory evade file-based detection, forensic disk imaging, and traditional IOC scanning.

F5's IOC guidance explicitly warns that "the files listed might not be modified," indicating that absence of file-based indicators does not mean absence of compromise.

F5 published IOCs under advisory K000156741 and supplemental document K000160486 (titled "Indicators of Compromise for c05d5254"). Defenders should check for:

• .Suspicious file artifacts: /run/bigtlog.pipe and /run/bigstart.ltm present on the system
• .Hash/size/timestamp mismatches: /usr/bin/umount and /usr/sbin/httpd when compared against known-good versions from the same firmware release
• .iControl REST API abuse: log entries in /var/log/restjavad-audit.[NUMBER].log showing a local user accessing from localhost (indicates post-exploitation lateral movement)
• .SELinux disabled: entries in /var/log/auditd/audit.log.[NUMBER] showing local access used to disable SELinux
• .Integrity checker tampered: modifications to sys-eicheck components (the system integrity checker itself)
• .C2 communication: outbound HTTP/S traffic using HTTP 201 response codes with CSS content types (masquerading as legitimate web traffic)
• .Malware artifact: c05d5254

Separately, for organizations assessing broader exposure to the UNC5221/Brickstorm campaign tied to the F5 corporate breach, CISA/NSA/Canadian Cyber Centre published additional IOCs in Malware Analysis Report AR25-338A (December 4, 2025, updated December 19).

These Brickstorm indicators relate to the F5 breach investigation, not specifically to CVE-2025-53521 exploitation, but defenders should review both sets given the overlapping risk surface.

CISA BOD 22-01 / KEV: Federal agencies required to patch by March 30, 2026. Non-compliance exposes agencies to FISMA audit findings and OMB reporting requirements.

CISA Emergency Directive ED-26-01: Issued October 15, 2025 in response to the F5 corporate breach, mandating inventory, hardening, and patching of all F5 products across FCEB agencies. This directive covers all F5 products, not only CVE-2025-53521.

HIPAA Security Rule (45 CFR 164.312): Healthcare organizations using BIG-IP APM for clinician or patient portal authentication face notification obligations if ePHI transited a compromised device.

SEC Regulation S-K / 8-K: Public companies must assess materiality of a BIG-IP compromise and disclose within 4 business days if material. Failure to disclose is an independent violation.

GDPR Articles 5(1)(f), 32, 33, 34: EU organizations using BIG-IP APM for authentication must notify their supervisory authority within 72 hours of confirming compromise. Fines up to 4% of annual global turnover or EUR 20M.

UK GDPR / DPA 2018: UK NCSC advisory explicitly notes UK organizations are affected. ICO enforcement applies. Fines up to GBP 17.5M or 4% of turnover.

Saudi PDPL / NCA: Organizations operating in Saudi Arabia using F5 infrastructure for access management face fines up to SAR 5M. NCA Essential Cybersecurity Controls mandate timely patching of critical vulnerabilities.

UAE PDPL (Federal Decree-Law No. 45/2021): UAE entities using BIG-IP for authentication and access control face fines up to AED 10M for failure to protect personal data in transit.

PCI DSS 4.0 (Requirement 6.3): Organizations processing payment data through BIG-IP must treat unpatched critical vulnerabilities as a compliance gap.

NIS2 Directive: EU essential and important entities must report significant incidents to national CSIRTs within 24 hours of awareness.

1. Exploitation start date unknown. F5 confirmed exploitation was discovered in March 2026 but does not specify when it began. The window between October 2025 patching and March 2026 confirmation leaves significant ambiguity.

2. Threat actor for CVE-2025-53521 exploitation not attributed. F5 and CISA have not publicly named the actors exploiting this specific vulnerability. UNC5221 is attributed to the F5 corporate breach, but the connection to active CVE-2025-53521 exploitation is circumstantial.

3. Victim count and identities undisclosed. No specific organizations have been confirmed compromised via CVE-2025-53521. Only generic "in the wild" confirmation exists.

4. Webshell samples not publicly released. F5 published IOC indicators but full malware samples are not in public repositories as of this writing.

5. Number of actually vulnerable instances unknown. Shadowserver tracks over 240,000 exposed BIG-IP instances, but the subset running APM with access policies configured on virtual servers - the specific condition required for exploitation - is not quantified.

6. Causal chain between source code theft and CVE reclassification unconfirmed. The theory that source code access enabled deeper analysis revealing the RCE condition is plausible but not publicly confirmed by F5, CISA, or any authoritative source.

A vulnerability that F5 told the world was "only" denial-of-service turns out to be unauthenticated remote code execution with active exploitation and memory-resident webshells.

This reclassification arrives five months after a nation-state actor stole F5's source code - a connection that is circumstantial but that defenders cannot afford to ignore.

Every organization that deprioritized patching based on the original CVSS 7.5 assessment made a rational decision with incomplete information.

Patch within the vendor's original October 2025 timeline regardless of DoS classification. A CVSS 7.5 vulnerability in an internet-facing authentication gateway should trigger patching within days, not months.

Organizations that treat "only DoS" as low priority for edge infrastructure misunderstand the risk.

Remove BIG-IP management interfaces from the public internet and restrict data plane exposure. CISA's BOD 23-02 and Emergency Directive ED-26-01 both require this. Over 240,000 instances remain exposed.

CVE-2025-53521 is a data plane vulnerability - exploitable through the virtual server handling legitimate traffic, not just the management interface. Network segmentation of the management plane alone is insufficient.

Deploy independent integrity monitoring that does not rely on the device's own tools. The attackers specifically subverted sys-eicheck.

Use external file integrity monitoring, network-based anomaly detection, and out-of-band configuration verification that cannot be tampered with by an attacker with code execution on the device.

Monitor for anomalous BIG-IP egress traffic. HTTP 201 responses with CSS content types, unexpected WebSocket upgrades from management subnets, and Yamux-multiplexed TLS sessions are distinctive C2 indicators that should trigger immediate investigation.

Assume compromise for any unpatched instance. Memory-only webshells mean that absence of file-based IOCs does not indicate absence of compromise.

Any BIG-IP APM instance that was unpatched between October 2025 and March 2026 should be treated as potentially compromised, reimaged from known-good media, and have all credentials that transited the device rotated.

The attackers designed specifically for stealth - and specifically subverted the tool you would use to check.

BleepingComputer, Help Net Security, CISA KEV Catalog, CISA Emergency Directive ED-26-01, CISA/NSA/Canadian Cyber Centre Malware Analysis Report AR25-338A (December 2025), F5 Security Advisory K000156741, F5 Supplemental IOC Document K000160486, UK National Cyber Security Centre, Dutch National Cyber Security Center, New Zealand NCSC, Canadian Centre for Cyber Security, Resecurity, RH-ISAC, Shadowserver Foundation, NVD (NIST), watchTowr (Benjamin Harris), Defused Cyber, CyberDaily, SecurityAffairs, Zscaler, Rapid7