Skip to content
Tech News
← Back to articles

Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks

2026-04-02 | original
read original get F5 Networks BIG-IP Security Kit → more articles
Why This Matters

The ongoing exposure of over 14,000 F5 BIG-IP APM instances to critical remote code execution vulnerabilities highlights the urgent need for organizations to prioritize patching and security measures. This vulnerability's exploitation could lead to severe breaches, impacting network security and data integrity across industries. Staying vigilant and promptly applying updates is essential to mitigate potential cyber threats affecting enterprise infrastructure.

Key Takeaways

Internet threat-monitoring non-profit Shadowserver has found over 14,000 BIG-IP APM instances exposed online amid ongoing attacks exploiting a critical-severity remote code execution (RCE) vulnerability.

BIG-IP APM (short for Access Policy Manager) is F5's centralized access management proxy solution designed to help admins secure access to their organizations' networks, cloud, applications, and application programming interfaces (APIs).

This 5-month-old flaw (tracked as CVE-2025-53521) was disclosed in October as a denial-of-service (DoS) vulnerability and was reclassified as an RCE bug over the weekend.

"Due to new information obtained in March 2026, the original vulnerability is being re-categorized to an RCE. The original CVE remediation has been validated to address the RCE in the fixed versions. We have learned that this vulnerability has been exploited in the vulnerable BIG-IP versions," F5 warned in a Sunday advisory update.

Attackers without privileges are exploiting this security issue to gain remote code execution on unpatched BIG-IP APM systems with access policies configured on a virtual server.

While there is no information on how many BIG-IP APM instances exposed on the Internet have a vulnerable configuration, Internet threat-monitoring non-profit Shadowserver said on Wednesday that it now tracks over 17,100 IPs with BIG-IP APM fingerprints.

F5 BIG-IP APM exposed online (Shadowserver)

​More than 14,000 BIG-IP APM systems remain exposed to CVE-2025-53521 attacks according to Shadowserver's data, even though the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure their BIG-IP APM systems by midnight on Monday (after adding the vulnerability to its list of actively exploited flaws on Friday).

F5 has also shared published indicators of compromise (IOCs) and advised defenders to check the disks, logs, and terminal history of BIG-IP devices for signs of malicious activity. It also provides guidance on the measures to take after detecting evidence of compromise, including rebuilding the affected systems from scratch.

"If customers do not know exactly when the system was compromised, user configuration set (UCS) backups may have been created after the compromise occurred," the company said.

... continue reading

Explore topics: f5 big-ip apm cve-2025-53521 shadowserver remote code execution
Related:
Are We Training AI Too Late?
GIGABYTE Control Center vulnerable to arbitrary file write flaw
Claude AI finds Vim, Emacs RCE bugs that trigger on file open
Fortinet BIG-IP Vulnerability Reclassified as RCE, Under Exploitation
F5 BIG-IP Vulnerability Reclassified as RCE, Under Exploitation

© 2026 GoKawiil

About | Editorial Policy | Contact