The U.S. cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw in F5’s BIG-IP Access Policy Manager software to its Known Exploited Vulnerabilities catalog on Friday. The agency’s action was prompted by evidence that threat actors are actively exploiting the vulnerability in real-world attacks.
Tracked as CVE-2025-53521, the flaw carries a high CVSS v4 severity score of 9.3. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code remotely on affected systems. This level of access could lead to a complete compromise of the network device.
Immediate Action Required for Administrators
By adding the vulnerability to the KEV catalog, CISA has mandated that all U.S. federal civilian executive branch agencies must apply F5’s provided patches by a specified deadline. While the directive is legally binding only for federal agencies, CISA strongly urges all organizations, including private sector and state, local, tribal, and territorial governments, to prioritize patching this flaw.
The F5 BIG-IP APM is a widely deployed network security and access solution. It functions as an application delivery controller and a secure gateway for remote access, making it a high-value target for cybercriminals. A compromise of such a system could provide attackers with a foothold inside corporate networks.
Background on the KEV Catalog
CISA’s Known Exploited Vulnerabilities catalog is a list of security flaws for which reliable evidence of active exploitation exists. The catalog is a key component of the agency’s effort to drive timely remediation of the most significant threats. Binding Operational Directive 22-01 requires federal agencies to patch vulnerabilities listed in the catalog within strict timeframes.
Inclusion in the KEV catalog signifies that the vulnerability is not merely a theoretical risk but is being used by adversaries in the wild. This often accelerates the patching timeline for organizations globally, as it serves as a authoritative indicator of immediate threat.
Vendor Response and Mitigation
F5 has released security updates to address CVE-2025-53521. The company has notified customers through its security advisories, detailing the affected software versions and providing remediation guidance. The primary mitigation is to install the fixed versions of BIG-IP APM software as listed in the advisory.
For organizations unable to patch immediately, standard network security practices apply. These include restricting network access to the management interfaces of BIG-IP systems to only trusted hosts and implementing strict network segmentation to limit the potential blast radius of any compromise.
Looking Ahead and Next Steps
Security researchers expect exploitation attempts targeting CVE-2025-53521 to increase following its public listing in the KEV catalog. Organizations running F5 BIG-IP APM are advised to treat patching as an urgent operational priority. CISA and F5 will continue to monitor threat activity related to this vulnerability and may issue further guidance if the threat landscape evolves. System administrators should consult the official F5 security advisory for the most current patching information and monitor CISA’s KEV catalog for updates on mandated remediation deadlines.
Source: Original CISA Bulletin and F5 Advisory
