F5 BIG-IP APM Flaw Silently Upgraded from DoS to RCE — Now Actively Exploited

A vulnerability in F5 BIG-IP Access Policy Manager that sat quietly as a “denial-of-service” bug since October 2025 has been reclassified as a pre-authentication remote code execution flaw — and it’s already being exploited in the wild. CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on March 27, and if you run BIG-IP APM, you need to check your patch level now.

What happened

F5 originally disclosed CVE-2025-53521 in its October 2025 Quarterly Security Notification as a DoS issue in the apmd process (CVSS v4: 8.7). In March 2026, based on new exploitation data, F5 reclassified it as an unauthenticated RCE with a bumped CVSS v3.1 score of 9.8 and v4 score of 9.3. The flaw is triggered when a BIG-IP APM access policy is configured on a virtual server — a nearly universal deployment pattern for APM customers.

Why this matters

The reclassification matters because plenty of teams may have deprioritized the original DoS advisory. A DoS in a load balancer is annoying; pre-auth RCE on a device that sits in front of your entire application stack is a different threat model entirely. Successful exploitation grants root-level access to the underlying OS.

F5 tracks post-exploitation malware under the identifier “c05d5254.” Attackers are dropping persistent implants that create files at /run/bigtlog.pipe and /run/bigstart.ltm, and replacing system binaries including /usr/bin/umount and /usr/sbin/httpd.

What’s vulnerable

The flaw affects the apmd daemon in the following BIG-IP versions:

• 17.5.x: 17.5.0 – 17.5.1
• 17.1.x: 17.1.0 – 17.1.2
• 16.1.x: 16.1.0 – 16.1.6
• 15.1.x: 15.1.0 – 15.1.10

Fixed versions: 17.5.2, 17.1.3, 16.1.7, and 15.1.11. Hotfixes were also issued in 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8.

What to do

• Patch immediately. If you applied the October 2025 hotfixes for the DoS classification, you’re already covered — the fix is the same. If you skipped it because “it’s just a DoS,” now’s the time.
• Hunt for compromise. Check for unexpected files at /run/bigtlog.pipe and /run/bigstart.ltm. Compare hashes of /usr/bin/umount and /usr/sbin/httpd against known-good baselines. Review audit logs for localhost iControl REST API access that you didn’t initiate.
• Restrict management access. If patching requires a maintenance window, restrict access to the APM virtual server to trusted networks only as an interim measure.
• Review your triage process. This is a textbook case of severity creep. If your vuln management workflow deprioritized this based on the original DoS classification, consider adding re-check triggers for reclassified CVEs.