RCE Vulnerability in F5 BIG-IP APM (CVE-2025-53521)

Sp123
31 Mar, 2026

This issue was previously classified as a Denial-of-Service (DoS) vulnerability but has been re‑categorized as an RCE in March 2026 following new information. The previously released fixes remain valid and fully address the RCE in fixed versions[1].

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

The vulnerability can be triggered by specially crafted malicious traffic when an APM access policy is enabled on a virtual server. Systems running in Appliance mode are also affected[1].

CVE

CVE-2025-53521

Affected Products

F5 BIG-IP APM Versions[1]:
17.x: 17.1.0 – 17.1.3, 17.5.0 – 17.5.1
16.x: 16.1.0 – 16.1.6
15.x: 15.1.0 – 15.1.10

Other BIG-IP modules such as BIG-IQ, BIG-IP Next, F5OS, NGINX products, and F5 Distributed Cloud services does not seem to be affected.

Exploitation

F5 has confirmed that active exploitation has been observed in vulnerable BIG-IP versions.

Recommended Actions

Truesec recommends upgrading immediately per vendor instruction. Furthermore, threat hunting will be conducted across all our MDR customers.

Truesec also recommends that you investigate suspicious log entries, examples can be seen under “Detection”.

Detection

/var/log/restjavad-audit.<NUMBER>.log [ForwarderPassThroughWorker{“user”:”local/f5hubblelcdadmin”,”method”:”POST”,”uri”:”http://localhost:8100/mgmt/tm/util/bash”,”status”:200,”from”:”Unknown”}

This entry shows a local user accessing the iControl REST API from localhost.
/var/log/auditd/audit.log.
msg=’avc: received setenforce notice (enforcing=0) exe=”/usr/lib/systemd/systemd” sauid=0 hostname=? addr=? terminal=?’

This entry shows a local user accessing the iControl REST API from localhost to disable SELinux.
/var/log/audit
user=f5hubblelcdadmin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash

These log messages show an echo of Base64-encoded data written into a file and the execution of /run/bigstart.ltm. This entry shows an example of a command being run in the audit log, correlated to the iControl REST request above[2].

References

[1] https://my.f5.com/manage/s/article/K000156741

[2]https://my.f5.com/manage/s/article/K000160486

The post RCE Vulnerability in F5 BIG-IP APM (CVE-2025-53521) appeared first on Truesec.

Article Link: RCE Vulnerability in F5 BIG-IP APM (CVE-2025-53521) - Truesec

1 post - 1 participant

Read full topic



Malware Analysis, News and Indicators - Latest topics
Sp123

Sp123

"An underestimated security threat to organizations is employee apathy and burn out.‌‌"

Next Post Previous Post