Attackers are aggressively weaponizing a reclassified vulnerability in F5 BIG-IP to deploy web shells and establish persistent footholds in enterprise perimeters. The shift from a denial-of-service classification to unauthenticated remote code execution has led to a high-volume exploitation cycle by initial access brokers.
Tracked as CVE-2025-53521, the flaw resides in the Access Policy Manager ❨APM❩ when an access policy is attached to a virtual server. Threat actors are utilizing crafted traffic to execute unauthorized code directly on the appliance. Recent forensic investigations have identified multiple clusters of compromised BIG-IP instances where web shells were implanted shortly after the reclassification was publicized.
Perimeter gateways are high-risk targets because they frequently bypass the visibility of internal security tools. A compromise at the APM layer allows an attacker to intercept traffic, steal credentials, and pivot into the secure internal network segment.
– Immediately upgrade @[F5](urn:li:organization:1508) BIG-IP to the latest fixed versions ❨17.1.3, 16.1.6.1, 15.1.10.8, or higher❩.
– Conduct a thorough forensic sweep of the BIG-IP file system for unauthorized web shells or anomalous cron jobs.
– Audit all authentication logs for anomalous session creation or unauthorized account activity dating back to March 2026.
– Implement strict ingress filtering and utilize a Zero Trust gateway to protect the appliance management and data planes.
Perimeter security infrastructure requires immediate remediation to prevent its transition from a defensive tool into an adversary pivot point. #CodeDefence #F5 #BIGIP #RCE #PerimeterSecurity
/
