F5 BIG-IP APM vulnerability CVE-2025-53521, a CVSS 9.8 unauthenticated RCE, was added to CISA's KEV catalog. It had originally been classified as DoS, but was reclassified after a China-linked APT that compromised F5's network stole source code and vulnerability details. Federal agencies must respond by March 30, 2026.
