CVE-2025-53521
Published: 15 October 2025
Summary
CVE-2025-53521 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow vulnerability in BIG-IP APM by requiring timely patching or upgrades to prevent unauthenticated RCE from malicious traffic.
Enables proactive identification of CVE-2025-53521 through vulnerability scanning of BIG-IP systems, especially critical given its presence in CISA's KEV catalog.
Ensures receipt and response to F5 security advisories and CISA KEV listings for this actively exploited vulnerability, prompting immediate flaw remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via crafted traffic to a public-facing BIG-IP APM virtual server, directly mapping to exploitation of public-facing applications.
NVD Description
When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Deeper analysisAI
CVE-2025-53521 is a stack-based buffer overflow vulnerability (CWE-121) in F5 BIG-IP Access Policy Manager (APM). It affects systems where an APM access policy is configured on a virtual server, allowing specific malicious traffic to trigger remote code execution (RCE). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this issue.
An unauthenticated attacker with network access can exploit the vulnerability by sending crafted traffic to the affected virtual server. No user interaction or privileges are required, enabling low-complexity remote exploitation that results in full confidentiality, integrity, and availability impacts through arbitrary code execution on the BIG-IP system.
F5 has published a security advisory at https://my.f5.com/manage/s/article/K000156741 with details on affected versions and mitigation steps. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521, indicating active real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 27 March 2026