Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Remote Code Execution in F5 BIG-IP APM, Patch Immediately!
Image
Gepubliceerd : 30/03/2026
- Last update: 30/03/2026
- Affected software: F5 BIG-IP AMP
- Type: Remote Code Execution
- CVE/CVSS
→ CVE-2025-53521: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
F5 - https://my.f5.com/manage/s/article/K000156741
Risks
CVE-2025-53521 is a vulnerability in F5 BIG-IP APM that allows an unauthenticated attacker to perform remote code execution when an APM access policy is configured on a virtual server.
F5 BIG-IP APM is an access management product used to secure and control access to applications, networks, cloud resources, and APIs.
If exploited this could lead to data breaches, system compromise, and operational downtime impacting confidentiality, integrity, and availability of critical businesses.
Multiple sources, including CISA, confirm threat actors are exploiting this vulnerability in the wild.
Description
A critical security vulnerability, CVE-2025-53521, has been identified in F5 BIG-IP APM. This flaw occurs when a BIG-IP APM access policy is configured on a virtual server, where specific malicious traffic can lead to remote code execution.
This vulnerability was initially published as a Denial of Service (DoS) vulnerability on 15 October 2025 but has been reclassified to a remote code execution (RCE) vulnerability on 29 March 2026.
Affected versions include BIG-IP APM 17.5.0 through 17.5.1, 17.1.0 through 17.1.2, 16.1.0 through 16.1.6, and 15.1.0 through 15.1.10. F5 later re-categorized the issue from a denial-of-service condition to remote code execution, and reporting citing F5 says the vulnerability has been exploited in vulnerable BIG-IP versions.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Check for compromise (Threat Hunt)
- Run the integrity checker available on all F5 Big-IP APM systems by executing /usr/libexec/sys-eicheck.py.
- Check for the indicators of compromised (IOCs) shared by F5 for any sign of compromise has shared.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
CISA - https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521
F5 Integrity Checker - https://my.f5.com/manage/s/article/K00029945
F5 IOC list - https://my.f5.com/manage/s/article/K000160486