The Gaming Boardroom

Where the gambling industry comes to think

Vulnerability affecting F5 BIG-IP APM

Steve Tyler Exec Content

Vulnerability affecting F5 BIG-IP APM

Summary

The NCSC is urging UK organisations to act immediately to mitigate an unauthenticated remote code execution vulnerability in F5 BIG-IP Access Policy Manager (CVE-2025-53521). F5 has updated its advisory after recategorising the issue: when a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).

F5 has reported active exploitation in the wild. The NCSC is assessing UK impact and recommends investigating all affected systems regardless of update timing. F5 has published both an updated security advisory and Indicators of Compromise.

Key Points

  • CVE-2025-53521 is an unauthenticated RCE in F5 BIG-IP APM when an access policy is configured on a virtual server.
  • F5 has published an updated security advisory and IoCs: K000156741 and K000160486.
  • F5 is aware of active exploitation; the NCSC is investigating UK impact and urges rapid action.
  • All organisations using BIG-IP APM should consider themselves affected and investigate for compromise.
  • NCSC recommended actions include isolating/replacing affected systems, fully investigating and rebuilding compromised devices, applying vendor updates and hardening, reporting UK incidents, and continuous threat hunting.

Why should I read this?

Short and blunt: if you run BIG-IP APM, this is urgent. It’s exploitable without authentication and attackers are already using it. We’ve read the detail so you don’t have to — follow the steps below now to reduce the risk to your estate.

Recommended immediate actions

1. Read F5’s security advisory and the IoCs.
2. If possible, isolate affected system(s) and replace with up-to-date instances (may cause outages).
3. Investigate fully for compromise; where investigation isn’t possible, erase and rebuild affected systems.
4. If you’re in the UK and suspect compromise, report it via the UK guidance at where to report a cyber incident and consider an assured Cyber Incident Response provider.
5. Update to the latest product version, apply appropriate hardening, reintroduce systems only after remediation, and continue threat hunting.

Source

Source: https://www.ncsc.gov.uk/news/vulnerability-affecting-f5-big-ip-apm