CVE-2025-53521
Published: 15 October 2025
Summary
CVE-2025-53521 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-53521 is a remote code execution vulnerability affecting F5 BIG-IP APM when an access policy is configured on a virtual server. The flaw, assigned CWE-121, is triggered by specially crafted malicious traffic and carries a CVSS 4.0 score of 9.3 reflecting network attack vector, low complexity, and no required privileges or user interaction.
Unauthenticated attackers positioned on the network can send crafted requests to an affected virtual server and obtain arbitrary code execution with full control over confidentiality, integrity, and availability of the target system. Exploitation does not depend on authentication or user interaction.
F5’s security advisory K000156741 and the CISA Known Exploited Vulnerabilities catalog both address the issue and outline available mitigations, including patches for supported versions.
The vulnerability appears in CISA’s KEV catalog, confirming observed in-the-wild exploitation. Its EPSS score rose sharply from a low baseline to a peak of 0.4141 on 2026-04-01 before receding, indicating a clear post-disclosure increase in exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-34630
- 🇬🇧 UK NCSC: Vulnerability affecting F5 BIG-IP APM
Vulnerability details
When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CWE(s)
- KEV Date Added
- 27 March 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via crafted traffic to a public-facing BIG-IP APM virtual server, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the stack-based buffer overflow vulnerability in BIG-IP APM by requiring timely patching or upgrades to prevent unauthenticated RCE from malicious traffic.
Enables proactive identification of CVE-2025-53521 through vulnerability scanning of BIG-IP systems, especially critical given its presence in CISA's KEV catalog.
Ensures receipt and response to F5 security advisories and CISA KEV listings for this actively exploited vulnerability, prompting immediate flaw remediation.