F5 BIG-IP APM's unauthenticated RCE lands in CISA KEV after Chinese APT source-code theft
Contents
F5 BIG-IP APM (Access Policy Manager) vulnerability CVE-2025-53521 was added to CISA’s Known Exploited Vulnerabilities catalog on March 27, 2026. Federal civilian agencies must remediate it by Monday, March 30.
The discovery path here is unusual. A China-linked state-backed group had already infiltrated F5’s network in October 2025, stole BIG-IP source code and vulnerability information, and used that material to reclassify a known issue from DoS to RCE. A patch already existed, but the urgency changed completely once the exploitability became clear.
Vulnerability overview
| Item | Details |
|---|---|
| CVE | CVE-2025-53521 |
| Affected product | F5 BIG-IP Access Policy Manager (APM) |
| Type | Unauthenticated remote code execution |
| CVSS v3.1 | 9.8 (Critical) |
| CVSS v4.0 | 9.3 (Critical) |
| Patch released | October 2025, originally as DoS |
| Added to CISA KEV | March 27, 2026 |
| Federal deadline | March 30, 2026 |
The attack succeeds when a virtual server has an access policy configured, which is close to the default state. Sending a specific malicious request to the apmd process is enough to trigger RCE, and appliance mode is also affected.
How the source-code theft changed the story
On October 15, 2025, F5 disclosed a breach. A China-linked state-sponsored group had spent about 12 months inside the company’s network without detection and stole BIG-IP source code and vulnerability details.
Using that source code, the attackers determined that an issue already patched as DoS could actually be exploited as RCE. In other words, a bug F5 had treated as low urgency in October was reclassified in March 2026 with a much higher severity level. The patch already existed; only the risk assessment changed.
The group had also deployed the Brickstorm backdoor inside F5. Brickstorm has been used in campaigns attributed to Chinese APT groups, especially against European targets, and has been observed on VMware ESXi and Linux. It is designed for long-term persistence, which matches the 12-month presence F5 described.
Technical details
F5’s post-compromise analysis shows what the attacker did after getting a foothold.
flowchart TD
A[Attacker: unauthenticated HTTP request] --> B[BIG-IP APM<br/>virtual server<br/>with access policy]
B --> C{apmd process<br/>malicious input handling<br/>CVE-2025-53521}
C --> D[RCE achieved<br/>without authentication]
D --> E[SELinux disabled<br/>security module turned off]
E --> F1[Management interface takeover]
E --> F2[In-memory web shell deployment]
F1 --> G[Lateral movement into internal networks<br/>authentication and VPN infrastructure]
F2 --> H[Persistence without leaving traces on disk]The most troublesome piece is the memory-only web shell. Because it never touches disk, file-system-based detection tools will not see it. F5 lists tampering with system files, SELinux-disablement logs, and specific HTTP/S traffic patterns as IOCs, but finding an in-memory shell still requires volatile-memory forensics.
The target is enterprise BIG-IP systems that manage authentication and VPN infrastructure for Fortune 500 companies.
Affected versions
| Version line | Affected range | Fixed version |
|---|---|---|
| BIG-IP APM 17.5.x | 17.5.0 to 17.5.1 | 17.5.2 and later |
| BIG-IP APM 17.1.x | 17.1.0 to 17.1.2 | 17.1.0.4 and later |
| BIG-IP APM 16.1.x | 16.1.0 to 16.1.6 | 16.1.4.3 and later |
| BIG-IP APM 15.1.x | 15.1.0 to 15.1.10 | 15.1.10.2 and later |
The patch itself was already available in October 2025, but many environments likely deprioritized it because the issue was initially framed as DoS. After the KEV addition, Defused Cyber reported a spike in scans against vulnerable BIG-IP devices.
Response
Any environment running BIG-IP APM should update immediately to the fixed versions above. If you do not use BIG-IP APM, for example if you only run LTM, you are not affected.
Because the attack path begins from an access-policy-enabled virtual server, Internet-facing APM deployments should be treated as highest priority.
The addition to CISA’s KEV catalog is based on confirmed active exploitation. Research suggests KEV-listed vulnerabilities are about 10 times more likely to be exploited than an ordinary CVE, so “we already patched it” is not a useful argument here.