CVE-2025-53521

9.8

CRITICAL CVSS 3.1

F5 BIG-IP Stack-Based Buffer Overflow Vulnerability - [Actively Exploited]

Overview

Description

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Details

INFO

Published Date :

Oct. 15, 2025, 2:15 p.m.

Last Modified :

March 31, 2026, 5:12 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]

CISA Notification

CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Due Date: Mar 30, 2026

Alert Date: Mar 27, 2026 | 11 days ago

Description :

F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known Ransomware Campaign Use:

Unknown

Notes :

Please adhere to F5’s guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible F5 products affected by this vulnerability. For more information please see: https://my.f5.com/manage/s/article/K000156741 ; https://my.f5.com/manage/s/article/K000160486 ; https://my.f5.com/manage/s/article/K11438344 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53521

Impact

Affected Products

The following products are affected by CVE-2025-53521 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID	Vendor	Product
1	F5	big-ip_access_policy_manager
2	F5	big-ip_advanced_firewall_manager
3	F5	big-ip_analytics
4	F5	big-ip_application_acceleration_manager
5	F5	big-ip_application_security_manager
6	F5	big-ip_domain_name_system
7	F5	big-ip_fraud_protection_service
8	F5	big-ip_global_traffic_manager
9	F5	big-ip_link_controller
10	F5	big-ip_local_traffic_manager
11	F5	big-ip_policy_enforcement_manager
12	F5	big-ip_advanced_web_application_firewall
13	F5	big-ip_ddos_hybrid_defender
14	F5	big-ip_ssl_orchestrator
15	F5	big-ip_websafe
16	F5	big-ip_edge_gateway
17	F5	big-ip_webaccelerator
18	F5	big-ip_carrier-grade_nat
19	F5	big-ip_application_visibility_and_reporting
20	F5	big-ip_automation_toolchain
21	F5	big-ip_container_ingress_services

: Total Affected Vendor : 1 | Products : 21

Scoring

CVSS Scores

The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.

Version	Severity	Source
CVSS 3.1	HIGH	9dacffd4-cb11-413f-8451-fbbfd4ddc0ab
CVSS 3.1	HIGH	[email protected]
CVSS 3.1	CRITICAL	[email protected]
CVSS 4.0	HIGH	9dacffd4-cb11-413f-8451-fbbfd4ddc0ab
CVSS 4.0	HIGH	[email protected]
CVSS 4.0	CRITICAL	[email protected]

Solution

Update BIG-IP to a version that addresses the TMM termination vulnerability.

Apply the latest available BIG-IP software update.
Consult the vendor for specific upgrade instructions.
Test the updated system thoroughly.

Public PoC/Exploit Available at Github

CVE-2025-53521 has a 3 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-53521.

URL	Resource
https://my.f5.com/manage/s/article/K000156741	Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521	US Government Resource

CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-53521 is associated with the following CWEs:

CWE-121: Stack-based Buffer Overflow

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-53521 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

myseq/tracker

Security Tracker

Python

Updated: 2 days, 11 hours ago

0 stars 0 fork 0 watcher

Born at : April 3, 2026, 11 a.m. This repo has been linked 5 different CVEs too.

cyberdudebivash/CYBERDUDEBIVASH-THREAT-INTEL-PLATFORM

AI POWERED ADVANCED THREAT INTEL PLATFORM

cyberdudebivash cyberdudebivashecosystem

Python Dockerfile JavaScript HTML Shell Batchfile PowerShell YARA Procfile PLpgSQL

Updated: 1 day, 12 hours ago

0 stars 0 fork 0 watcher

Born at : Feb. 9, 2026, 4:06 p.m. This repo has been linked 1 different CVEs too.

DevGreick/devgreick

None

Python

Updated: 1 day, 14 hours ago

1 stars 0 fork 0 watcher

Born at : Oct. 29, 2024, 8:10 p.m. This repo has been linked 11 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-53521 vulnerability anywhere in the article.

The Hacker News

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild. The vulnerability, tracked as CVE-2026-35616 (CVSS score: ...

Published Date: Apr 05, 2026 (1 day, 23 hours ago)

The Hacker News

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has bee ...

Published Date: Apr 03, 2026 (3 days, 10 hours ago)

CybersecurityNews

14,000+ F5 BIG-IP APM Exposed Online as Attackers Actively Exploiting RCE Vulnerability

A critical security flaw in F5’s BIG-IP Access Policy Manager (APM) is currently under active exploitation, leaving thousands of enterprise networks at risk. The vulnerability, officially tracked as C ...

Published Date: Apr 03, 2026 (3 days, 11 hours ago)

The Hacker News

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Serv ...

Published Date: Apr 02, 2026 (4 days, 8 hours ago)

The Hacker News

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass ...

Published Date: Apr 02, 2026 (4 days, 13 hours ago)

The Hacker News

ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories

The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reali ...

Published Date: Apr 02, 2026 (4 days, 15 hours ago)

security.nl

Ruim veertienduizend F5 BIG-IP APM-servers toegankelijk vanaf internet

Ruim veertienduizend F5 BIG-IP APM-servers zijn toegankelijk vanaf internet, zo meldt The Shadowserver Foundation. Aanvallers maken actief misbruik van een kwetsbaarheid in het platform. Het is nog on ...

Published Date: Apr 02, 2026 (4 days, 19 hours ago)

The Hacker News

New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released

Google on Thursday released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild. The high-severity vulnerab ...

Published Date: Apr 01, 2026 (5 days, 16 hours ago)

The Hacker News

TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks

A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubb ...

Published Date: Mar 31, 2026 (6 days, 12 hours ago)

security.nl

Amerikaanse overheid krijgt drie dagen voor installatie Citrix- en F5-updates

Federale Amerikaanse overheidsdiensten moeten beveiligingsupdates voor twee actief aangevallen kwetsbaarheden in producten van Citrix en F5 binnen drie dagen installeren. Het Amerikaanse cyberagentsch ...

Published Date: Mar 31, 2026 (6 days, 14 hours ago)

Hackread - Cybersecurity News, Data Breaches, AI and More

Critical F5 BIG-IP Flaw Upgraded to 9.8 RCE, Exploited in the Wild

Cybersecurity researchers at F5 have issued an urgent warning regarding a severe security flaw affecting their BIG-IP APM systems. Originally, the issue was dismissed as a minor technical glitch, but ...

Published Date: Mar 31, 2026 (6 days, 16 hours ago)

Help Net Security

Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)

A critical SQL injection vulnerability (CVE-2026-21643) in Fortinet FortiClient Endpoint Management Server (EMS), a management server for FortiClient endpoint agents on various platforms, is under act ...

Published Date: Mar 30, 2026 (1 week ago)

Daily CyberSecurity

The CVE Watchtower: Weekly Threat Intelligence Briefing (March 23 – March 29, 2026)

Whether you are steering the organizational ship as a CISO or maintaining the operational engines as a system administrator, cutting through the noise of weekly vulnerabilities is essential to keeping ...

Published Date: Mar 30, 2026 (1 week, 1 day ago)

Help Net Security

Week in review: NIST updates DNS security guidance, compromised LiteLLM PyPI packages

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: NIST updates its DNS security guidance for the first time in over a decade DNS infrastructure underpin ...

Published Date: Mar 29, 2026 (1 week, 1 day ago)

Daily CyberSecurity

CISA Issues Three-Days Patch Mandate for Critical 9.8 F5 BIG-IP RCE

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical Remote Code Execution (RCE) vulnerability affecting F5 BIG-IP systems to its Known Exploited Vulnerabilities ...

Published Date: Mar 29, 2026 (1 week, 1 day ago)

CybersecurityNews

CISA Warns of F5 BIG-IP Vulnerability Actively Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed vulnerability affecting F5 BIG-IP systems to its Known Exploited Vulnerabilities (KEV) catalog, warning tha ...