Cyber Resilience

CVE-2025-53521

CriticalCISA KEVActive ExploitationEUVD ExploitedUK NCSC Alert

Published: 15 October 2025

Published
15 October 2025
Modified
31 March 2026
KEV Added
27 March 2026
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0877 92.7th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53521 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-53521 is a remote code execution vulnerability affecting F5 BIG-IP APM when an access policy is configured on a virtual server. The flaw, assigned CWE-121, is triggered by specially crafted malicious traffic and carries a CVSS 4.0 score of 9.3 reflecting network attack vector, low complexity, and no required privileges or user interaction.

Unauthenticated attackers positioned on the network can send crafted requests to an affected virtual server and obtain arbitrary code execution with full control over confidentiality, integrity, and availability of the target system. Exploitation does not depend on authentication or user interaction.

F5’s security advisory K000156741 and the CISA Known Exploited Vulnerabilities catalog both address the issue and outline available mitigations, including patches for supported versions.

The vulnerability appears in CISA’s KEV catalog, confirming observed in-the-wild exploitation. Its EPSS score rose sharply from a low baseline to a peak of 0.4141 on 2026-04-01 before receding, indicating a clear post-disclosure increase in exploitation interest.

EU & UK References

Vulnerability details

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)
KEV Date Added
27 March 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote code execution via crafted traffic to a public-facing BIG-IP APM virtual server, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23412Same product: F5 Big-Ip Access Policy Manager
CVE-2025-24497Same product class: WAF / load balancer
CVE-2025-23239Same product: F5 Big-Ip Access Policy Manager
CVE-2025-24320Same product: F5 Big-Ip Access Policy Manager
CVE-2025-20058Same product: F5 Big-Ip Access Policy Manager
CVE-2025-21091Same product: F5 Big-Ip Access Policy Manager
CVE-2025-20045Same product: F5 Big-Ip Access Policy Manager
CVE-2025-24312Same product class: WAF / load balancer
CVE-2025-20029Same product: F5 Big-Ip Access Policy Manager
CVE-2025-22846Same product: F5 Big-Ip Access Policy Manager

Affected Assets

f5
big-ip access policy manager
15.1.0 — 15.1.10.8 · 16.1.0 — 16.1.6.1 · 17.1.0 — 17.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the stack-based buffer overflow vulnerability in BIG-IP APM by requiring timely patching or upgrades to prevent unauthenticated RCE from malicious traffic.

detect

Enables proactive identification of CVE-2025-53521 through vulnerability scanning of BIG-IP systems, especially critical given its presence in CISA's KEV catalog.

detect

Ensures receipt and response to F5 security advisories and CISA KEV listings for this actively exploited vulnerability, prompting immediate flaw remediation.

References