5-month-old F5 BIG-IP DoS bug becomes critical RCE exploited in the wild

Source: 5-month-old F5 BIG-IP DoS bug becomes critical RCE exploited in the wild | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4152658/5-month-old-f5-big-ip-dos-bug-becomes-critical-rce-exploited-in-the-wild.html

ONE SENTENCE SUMMARY:

CVE-2025-53521 in F5 BIG-IP APM was misclassified, now exploited for pre-auth root RCE deploying persistent malware.

MAIN POINTS:

1. CVE-2025-53521 was initially disclosed as DoS with CVSS 7.5 in October 2025.
2. F5 reclassified it as pre-authentication remote code execution, raising severity to CVSS 9.8.
3. CISA added the flaw to the KEV catalog due to confirmed active exploitation.
4. Netherlands Cyber Security Centre reported observing in-the-wild exploitation of the vulnerability.
5. Attackers deploy a persistent root-privileged malware tracked by F5 as “c05d5254”.
6. Vulnerability impacts APM only when configured on a virtual server.
7. Affected versions include 15.1.x, 16.1.x, 17.1.x, and 17.5.x ranges listed by F5.
8. Fixed releases are 15.1.10.8, 16.1.6.1, 17.1.3, and 17.5.1.3.
9. IoCs include /run/bigtlog.pipe, /run/bigstart.ltm, and modified umount/httpd binaries.
10. Adversaries use localhost iControl REST access, SELinux disablement, and disguised HTTP 201 traffic.

TAKEAWAYS:

1. Treat this as internet-facing, pre-auth RCE with immediate incident-response priority.
2. Patch urgently, but also perform compromise assessment rather than trusting patch status alone.
3. Use F5’s published IoCs, TTPs, and log patterns to hunt for successful exploitation.
4. Avoid restoring potentially tainted UCS backups; rebuild configurations if compromise timing is unclear.
5. Run integrity checks for key binaries, recognizing attackers may tamper with sys-eicheck dependencies.