{"id":419,"date":"2026-03-28T07:43:15","date_gmt":"2026-03-28T07:43:15","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=419"},"modified":"2026-03-28T07:43:15","modified_gmt":"2026-03-28T07:43:15","slug":"cisa-adds-cve-2025-53521-to-kev-after-active-f5-big-ip-apm-exploitation","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=419","title":{"rendered":"CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 28, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Network Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgOCtHFfd9TZrhTa9APggVpivUkp_7HLw49145Q93B-76BiG0kkbGOPgViPII25Inn9b8710FjsB1sG716DO1Qh3ikSV88oqwdhSCJ7V2FTWgPq1xaA_UqMVwIEi4zmLnAmXQmbdG2fWAVBx6H_OiHqCOzghwBkuQYy4mYUCIdIyBi54ojbF3rc_OGIPlGc\/s1700-e365\/f5.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/03\/27\/cisa-adds-one-known-exploited-vulnerability-catalog\" rel=\"noopener\" target=\"_blank\">added<\/a> a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (<a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" rel=\"noopener\" target=\"_blank\">KEV<\/a>) catalog, citing evidence of active exploitation.<\/p>\n<p>The vulnerability in question is <strong>CVE-2025-53521<\/strong> (CVSS v4 score: 9.3), which could allow a threat actor to achieve remote code execution.<\/p>\n<p>\u00abWhen a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE),\u00bb according to a description of the flaw in CVE.org.<\/p>\n<p>While the shortcoming was initially categorized and remediated as a denial-of-service (DoS) vulnerability with a CVSS v4 score of 8.7, F5 said it has been reclassified as a case of RCE in light of \u00abnew information obtained in March 2026.\u00bb<\/p>\n<p>The company has since <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000156741\" rel=\"noopener\" target=\"_blank\">updated<\/a> its advisory to confirm that the vulnerability \u00abhas been exploited in the vulnerable BIG-IP versions.\u00bb It did not share any additional details on who may be behind the exploitation activity.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>However, F5 shared a <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000160486\" rel=\"noopener\" target=\"_blank\">number of indicators<\/a> that can be used to assess if the system has been compromised &#8211;<\/p>\n<ul>\n<li>File-related indicators &#8211;\n<ul>\n<li>Presence of \/run\/bigtlog.pipe and\/or \/run\/bigstart.ltm.<\/li>\n<li>Mismatch of file hashes when compared to known good versions of \/usr\/bin\/umount and\/or \/usr\/sbin\/httpd.<\/li>\n<li>Mismatch of file sizes or timestamps when compared to known good versions of \/usr\/bin\/umount and\/or \/usr\/sbin\/httpd.<\/li>\n<li>Each release and EHF may have different file sizes and timestamps.<\/li>\n<\/ul>\n<\/li>\n<li>Log-related indicators &#8211;\n<ul>\n<li>An entry in \u00ab\/var\/log\/restjavad-audit.<number>.log\u00bb showing a local user accessing the iControl REST API from localhost.<\/number><\/li>\n<li>An entry in \u00ab\/var\/log\/auditd\/audit.log.<number>\u00bb showing a local user accessing the iControl REST API from localhost to disable SELinux.<\/number><\/li>\n<li>Log messages in \u00ab\/var\/log\/audit\u00bb show the results of a command being run in the audit log.<\/li>\n<\/ul>\n<\/li>\n<li>Other TTPs observed include &#8211;\n<ul>\n<li>Modifications to the underlying components that the system integrity checker, <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K00029945\" rel=\"noopener\" target=\"_blank\">sys-eicheck<\/a>, relies on, resulting in a failure of the tool, specifically \/usr\/bin\/umount and\/or \/usr\/sbin\/httpd, indicating unexpected changes to the system software as mentioned above.<\/li>\n<li>HTTP\/S traffic from the BIG-IP system that contains HTTP 201 response codes and CSS content-type to disguise the attacker&#8217;s activities.<\/li>\n<li>Changes to the following three files, although their presence alone does not signal a security issue &#8211;\n<ul>\n<li>\/var\/sam\/www\/webtop\/renderer\/apm_css.php3<\/li>\n<li>\/var\/sam\/www\/webtop\/renderer\/full_wt.php3<\/li>\n<li>\/var\/sam\/www\/webtop\/renderer\/webtop_popup_css.php3<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u00abWe have observed cases of webshell being written to disk; however, the webshells have been observed to work in memory only, meaning the files listed above might not be modified,\u00bb F5 cautioned.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/attack-stories-xmcyber-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi10JhdzuuQKeU6vIJGPRAeffB5FYR9ajRiOfpp6hmgsP5GCmDcMdEKpiEEUZjkua9Y9R__l-63FpqNwAFgZzIdNR5lPIJcvvyBKIAu_nN7Z1TJoVUXrEvfQcWlJ0QhqMshOARvU3_B94NJNDbp-SiKAVfPFPibh_jcBpTfSPmCFxxJkPqL44kIFXL1WGEo\/s728-e100\/fs-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The issue impacts the following versions &#8211;<\/p>\n<ul>\n<li>17.5.0 &#8211; 17.5.1 (Fixed in version 17.5.1.3)<\/li>\n<li>17.1.0 &#8211; 17.1.2 (Fixed in version 17.1.3)<\/li>\n<li>16.1.0 &#8211; 16.1.6 (Fixed in version 16.1.6.1)<\/li>\n<li>15.1.0 &#8211; 15.1.10 (Fixed in version 15.1.10.8)<\/li>\n<\/ul>\n<p>In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been given until March 30, 2026, to apply the fixes to secure their networks.<\/p>\n<p>\u00abWhen F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn&#8217;t immediately signal urgency, and many system administrators likely prioritized it accordingly,\u00bb watchTowr CEO and founder Benjamin Harris said in a statement shared with The Hacker News.<\/p>\n<p>\u00abFast forward to today&#8217;s big &#8216;yikes&#8217; moment: the situation has changed significantly. What we&#8217;re observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That&#8217;s a very different risk profile than what was initially communicated.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 28, 2026Vulnerability \/ Network Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to&hellip;<\/p>\n","protected":false},"author":1,"featured_media":420,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[64,200,945,944,62,943,65,203],"class_list":["post-419","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-active","tag-adds","tag-apm","tag-bigip","tag-cisa","tag-cve202553521","tag-exploitation","tag-kev"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=419"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/419\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/420"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}