Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/over-14-000-f5-big-ip-apm-instances-still-exposed-to-rce-attacks/

ONE SENTENCE SUMMARY:

Shadowserver reports 14,000+ exposed F5 BIG-IP APM systems amid active exploitation of reclassified CVE-2025-53521 RCE vulnerability.

MAIN POINTS:

1. Shadowserver observed widespread internet exposure of BIG-IP APM during ongoing exploit activity.
2. BIG-IP APM functions as F5’s centralized access management proxy for networks and applications.
3. CVE-2025-53521 was initially disclosed as a DoS issue in October.
4. March 2026 information prompted reclassification of the flaw to remote code execution.
5. F5 confirmed exploitation against vulnerable BIG-IP versions in an updated Sunday advisory.
6. Unauthenticated attackers can achieve RCE when access policies exist on a virtual server.
7. Shadowserver tracks over 17,100 IPs fingerprinted as BIG-IP APM.
8. More than 14,000 systems remain exposed despite the vulnerability’s active exploitation status.
9. CISA ordered U.S. federal agencies to secure affected systems by Monday midnight.
10. F5 released IOCs and recommends disk, log, and terminal-history reviews plus rebuild guidance.

TAKEAWAYS:

1. Reclassification from DoS to RCE materially raises urgency and exploit impact.
2. Internet-exposed access gateways like APM become high-value, quickly targeted entry points.
3. Meeting government remediation deadlines may still leave large vulnerable populations online.
4. Incident response should include compromise hunting using vendor-provided IOCs.
5. Restoring from potentially tainted UCS backups risks persistent malware; rebuild from known-good sources.