A critical vulnerability in the F5 BIG-IP Access Policy Manager ❨APM❩ has been reclassified to indicate its potential for unauthenticated remote code execution. This flaw is currently being targeted by initial access brokers to establish a foothold in enterprise perimeters.
Tracked as CVE-2025-53521, the vulnerability was originally identified as a session management issue but further forensic analysis of recent intrusions confirms it can be weaponized for unauthenticated command execution. Threat actors are utilizing this flaw to bypass authentication and execute unauthorized scripts directly on the appliance, providing a gateway into the internal corporate network.
The reclassification of a perimeter vulnerability to unauthenticated RCE significantly increases the immediate risk to any exposed BIG-IP instance. Attackers prioritize these devices because they often sit in front of critical applications and provide a stable pivot point for large-scale data exfiltration.
– Immediately upgrade @[F5](urn:li:organization:1508) BIG-IP to the latest security version ❨e.g., 17.1.x or 15.1.x patched releases❩.
– Restrict all access to the BIG-IP management interface to authorized internal administrative IP ranges only.
– Conduct a retroactive forensic audit of BIG-IP logs for anomalous session creation or unauthorized script execution dating back to March 2026.
– Implement strict ingress filtering and utilize a Zero Trust gateway to protect the management plane of the appliance.
When the perimeter gateway itself is vulnerable to unauthenticated RCE, the entire internal trust model is bypassed; immediate architectural isolation is mandatory. #CodeDefence #F5 #BIGIP #RCE #PerimeterSecurity
/
