CVE-2025-53521

BigIP APM Vulnerability

Basic Information

CVE State: PUBLISHED
Reserved Date: October 03, 2025
Published Date: October 15, 2025
Last Updated: March 31, 2026
Vendor: F5
Product: BIG-IP
Description: When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Tags

CVSS Scores

CVSS v4.0

9.3 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2026-06-01 12:26:16 UTC) Source

References

https://my.f5.com/manage/s/article/K000156741

Known Exploited Vulnerability Information

Source	Added Date
CVE	2026-06-01 12:26:16 UTC

Timeline

CVE ID Reserved

October 03, 2025
CVE Published to Public

October 15, 2025
Added to KEVIntel

June 01, 2026