Update now! Attacks on F5 BIG-IP Access Policy Manager observed

IT managers who use F5 BIG-IP Access Policy Manager (APM) (now operating under the name “BIG-IP Zero Trust Access”) for app access management should urgently check if their appliance software is up to date. The US cybersecurity authority CISA has issued a warning that attacks on a security vulnerability in the system have been observed.

Specifically, CISA writes that the authority is aware of attacks on the vulnerability CVE-2025-53521. According to the vulnerability description, attackers can inject and execute malicious code from the internet using specific malicious traffic. The only prerequisite is that the BIG-IP APM access policy is configured on a virtual server (CVSS4 9.3, risk “critical”).

As F5 explains in its security advisory, the vulnerability was initially categorized as a denial-of-service vulnerability and received a CVSS4 risk rating of 8.7, corresponding to a high risk. Due to new information from March 2026, F5 has now reclassified it as remote code execution (RCE) with critical risk. F5 also adds the note: “We have learned that this vulnerability has been exploited in the vulnerable BIG-IP versions above.”

Updated software to close the gap

F5 has closed the security vulnerability with updated software packages. According to the manufacturer, F5 BIG-IP APM 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8, as well as newer versions, no longer contain the security-relevant bug. Admins should apply the updates immediately.

Last October, it became known that attackers could steal code and information about security vulnerabilities from F5. This led F5 to release patches for almost four dozen security vulnerabilities at once.

(dmk)