Executive Summary

    On March 28th, F5 published an advisory updating the severity of a previously reported vulnerability in BIG-IP APM (CVE-2025-53521) to a CVSS score of 9.8. Initially classified as a denial-of-service (DoS) vulnerability, it was discovered that the bug was instead being actively used for remote code execution (RCE). BIG-IP devices are commonly deployed on network perimeters, so successful compromise can provide threat actors initial access into an organization’s network.

    The bug was initially reported in October 2025 along with a large number of other F5 product vulnerabilities exposed by an APT breach that we previously reported on. As predicted, threat actors appear to have used the stolen data to develop vulnerabilities and deploy weaponized exploits.

    While there are no known publicly available proof of concept (PoC) exploits available for CVE-2025-53521 at time of writing, the vulnerability is already being actively exploited in the wild as confirmed by its addition to the CISA KEV catalogue. Beazley Security strongly recommends affected organizations apply the security fixes released by F5.

    Affected Systems or Products

    CVE-2025-53521 affects BIG-IP devices where Access Policy Manager (APM) has been enabled. For more details on that system see the product documentation.

    Product

    Affected Versions

    Fixed Version

    BIG-IP APM 17.x

    17.5.0 - 17.5.1

    17.1.0 - 17.1.2

    17.5.1.3

    17.1.3

    BIG-IP APM 16.x

    16.1.0 - 16.1.6

    16.1.6.1

    BIG-IP APM 15.x

    15.1.0 - 15.1.10

    15.1.10.8

    Mitigations / Workarounds

    No mitigations or workarounds aside from the security patches were reported for CVE-2025-53521.

    Patches

    Patches have been available for some time now, review the table above for specific version numbers and the vendor advisory for guidance on applying upgrades.

    Indicators of Compromise

    F5 provided a detailed article documenting IOCs observed in an incident referenced by their CVE-2025-53521 advisory. We will summarize some of those here.

    File Activity

    • Presence of new files /run/bigtlog.pipe and/or /run/bigstart.ltm

    • Changes to existing files /usr/bin/umount and/or /usr/sbin/httpd

    Log Activity

    • Log file: /var/log/restjavad-audit.<NUMBER>.log

    [ForwarderPassThroughWorker{"user":"local/f5hubblelcdadmin","method":"POST","uri":"http://localhost:8100/mgmt/tm/util/bash","status":200,"from":"Unknown"}

    • Log file: /var/log/auditd/audit.log.<NUMBER>

    msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

    • Log file: /var/log/audit

    user=f5hubblelcdadmin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash <VARIABLE_COMMAND>

    Command Output

    • sys-eicheck: An integrity check application that was observed reporting failures for the files /usr/bin/umount and /usr/sbin/httpd mentioned above

    • lsof -n: The common ‘list open files’ application was observed showing entries for the above mentioned /run/bigtlog.pipe file

    Technical Details

    No in-depth technical details of the vulnerability or proof-of-concept exploit code are known at time of writing.

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

    We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

    If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

    Sources