External risk intelligence

BIG-IP APM Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2025-53521

A vulnerability in F5 BIG-IP Access Policy Manager allows for remote code execution when specific malicious traffic is processed. This flaw enables unauthorized actors to gain control of affected systems, posing a risk of data compromise and business disruption. Organizations should prioritize assessing their exposure

5Halo Surface Signal

Remote Code Execution

F5 Big Ip Access Policy Manager

15.1.0 to before 15.1.10.816.1.0 to before 16.1.6.117.1.0 to before 17.1.317.5.0 to before 17.5.1.3

External exposure likelihood

Halo Surface Signal score for CVE-2025-53521

The F5 BIG-IP Access Policy Manager (APM) is designed as an internet-facing gateway and identity/access portal. By its nature as an edge security product, it is intended to be positioned at the network perimeter to handle incoming connections, making it a public-facing service by design in normal deployment scenarios.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in F5 BIG-IP Access Policy Manager allows for remote code execution when specific malicious traffic is processed. This flaw could enable unauthorized actors to gain control of affected systems. The potential impact on an organization includes the compromise of sensitive data, disruption of critical business operations, and unauthorized access to internal resources.

  • Vulnerable F5 BIG-IP APM
  • Flaw permits remote code execution
  • Business risk and data compromise

Attack Path

How an attacker could exploit the issue

This vulnerability allows for remote code execution when a BIG-IP APM access policy is configured on a virtual server. An attacker can exploit this by sending specific malicious traffic. Successful exploitation grants the attacker control over the affected system.

  • Network exposure, no authentication needed.
  • Attacker sends malicious traffic.
  • Remote code execution occurs.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could permit unauthorized attackers to execute arbitrary code on affected systems. Successful exploitation could lead to the compromise of confidential data, disruption of services, and the deployment of additional malicious payloads. Given the nature of the vulnerability and its presence in internet-facing systems, organizations should consider this a high-priority issue.

  • Likely attacker skill level: High
  • Required access or conditions: None
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Specific malicious traffic can allow remote code execution when a BIG-IP APM access policy is configured. This critical vulnerability affects external-facing systems and requires immediate attention. Organizations should prioritize understanding their exposure and implementing vendor-provided solutions to mitigate the risk of compromise.

  • Identify exposed BIG-IP APM assets.
  • Reduce exposure or isolate risk.
  • Apply vendor fix and validate.
  • Monitor for related issues.

Frequently asked questions

What is F5 BIG-IP Access Policy Manager and its function?

F5 BIG-IP Access Policy Manager (APM) is part of the BIG-IP platform. It controls and secures user access to applications and resources by acting as a gateway for authentication, authorization, and secure connections to services.

What is the weakness class of CVE-2025-53521 in BIG-IP APM?

CVE-2025-53521 is classified as a stack-based buffer overflow (CWE-121) vulnerability. This type of weakness occurs when a program receives more data than it can handle, potentially leading to memory overwrites and malicious code execution.

How can CVE-2025-53521 be exploited and what is the scope?

Exploitation occurs when specific malicious traffic is sent to a BIG-IP APM configured on a virtual server. This can lead to Remote Code Execution (RCE). The vulnerability is network-exposed, requiring no authentication, and the scope is not limited by authentication or network segmentation from the attacker's perspective.

What is the relevance of CVE-2025-53521 to internet-facing systems?

Halo Surface Signal scores this CVE as 'Very likely' due to its nature. F5 BIG-IP APM is typically deployed as an internet-facing gateway and identity/access portal, making it a public-facing service by design and thus a prime target for external threats.

What steps should be taken to address this vulnerability?

Organizations should identify exposed BIG-IP APM assets, reduce or isolate any identified risks, apply vendor-provided fixes, and validate their implementation. Continuous monitoring for related issues is also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified