CVE-2025-53521

CRITICAL KEV

BIG-IP APM - DoS

Title source: llm

Description

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References (2)

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521

[Vendor Advisory] https://my.f5.com/manage/s/article/K000156741

Scores

CVSS v3 9.8

EPSS 0.0745

EPSS Percentile 91.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2026-03-27

VulnCheck KEV 2026-03-27

ENISA EUVD EUVD-2025-34630

CWE

CWE-121

Status published

Products (25)

F5/BIG-IP 15.1.0 - 15.1.10.8

F5/BIG-IP 16.1.0 - 16.1.6.1

F5/BIG-IP 17.1.0 - 17.1.3

F5/BIG-IP 17.5.0 - 17.5.1.3

f5/big-ip_access_policy_manager 15.1.0 - 15.1.10.8

f5/big-ip_advanced_firewall_manager 15.1.0 - 15.1.10.8

f5/big-ip_advanced_web_application_firewall 15.1.0 - 15.1.10.8

f5/big-ip_analytics 15.1.0 - 15.1.10.8

f5/big-ip_application_acceleration_manager 15.1.0 - 15.1.10.8

f5/big-ip_application_security_manager 15.1.0 - 15.1.10.8

... and 15 more

Published Oct 15, 2025

KEV Added Mar 27, 2026

Tracked Since Feb 18, 2026