A vulnerability misclassified five months ago as a denial-of-service issue in F5 BIG-IP Access Policy Manager (APM) turned out to be a critical pre-authentication remote code execution flaw that is now under active exploitation. Hackers are using it to deploy a persistent malware program that runs with root privileges.
The CVE-2025-53521 vulnerability was first disclosed in October 2025 as a DoS issue with a CVSS severity score of 7.5. F5 updated the advisory Friday, reclassifying it as remote code execution and raising its score to CVSS 9.8 in light of “new information” it has received. The same day, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and the Netherlands Cyber Security Centre reported seeing active exploitation.
BIG-IP APM is F5’s secure access solution that allows enterprises, service providers, and government agencies to control authentication, authorization, and VPN access across remote, mobile, and cloud environments. The Shadowserver Foundation currently tracks over 240,000 F5 BIG-IP instances on the internet, but it’s not clear how many run vulnerable versions.
“When F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn’t immediately signal urgency, and many system administrators likely prioritized it accordingly,” Benjamin Harris, CEO of offensive security firm watchTowr, told CSO. “Fast-forward to today’s big ‘yikes’ moment: The situation has changed significantly. What we’re observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That’s a very different risk profile than what was initially communicated.”
Patching is only part of the equation and the immediate focus for security teams should be on determining whether the flaw has already been exploited in their environments, Harris noted.
The vulnerability affects BIG-IP APM versions 17.1.0 to 17.1.2, 17.5.0 to 17.5.1, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10. F5 released patches in versions 17.1.3, 17.5.1.3, 16.1.6.1, and 15.1.10.8. The company also published a knowledge base article with indicators of compromise, attacker TTPs, and hardening guidance against the observed malware.
How the attack works
BIG-IP APM is only affected when configured on a virtual server, which is a limiting factor for the attacks, but is not an unusual deployment. Successful exploitation grants attackers root-level access and full control of the underlying operating system.
The company tracks the deployed malware program as “c05d5254” and notes that it creates files at /run/bigtlog.pipe and /run/bigstart.ltm and makes changes to system binaries, including /usr/bin/umount and /usr/sbin/httpd. Attackers have also been observed modifying the sys-eicheck utility, which relies on RPM integrity checks to verify on-disk executables.
Log analysis can reveal patterns related to the attack. The user “f5hubblelcdadmin” accessing the iControl REST API from localhost, SELinux disable commands in auditd logs and Base64-encoded data written to files followed by execution of `/run/bigstart.ltm` all indicate successful intrusion. F5 also observed threat actors using HTTP 201 response codes with CSS content-type headers to disguise malicious traffic.
Mitigation
Organizations that applied the October 2025 updates are already protected, as the original patches also address the RCE vector, but systems running vulnerable versions require immediate patching and compromise assessment.
Organizations should not assume their systems are clean based solely on patching because UCS backup files from compromised systems can contain copies of the malware. F5 recommends rebuilding configurations from scratch rather than restoring from backup if the compromise timeframe is uncertain.
The sys-eicheck utility can identify integrity failures in /usr/bin/umount and /usr/sbin/httpd, though attackers have targeted the components this tool relies on.