CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

2026-03-28

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

CISA added CVE-2025-53521, a critical F5 BIG-IP APM vulnerability, to its Known Exploited Vulnerabilities catalog after confirmed in-the-wild exploitation.

•Originally classified as a DoS vulnerability (CVSS v4: 8.7), it was reclassified as a pre-auth Remote Code Execution (RCE) flaw with a CVSS v4 score of 9.3 after new information emerged in March 2026.
•Affected versions span BIG-IP 15.1.x through 17.5.x; fixed versions are 15.1.10.8, 16.1.6.1, 17.1.3, and 17.5.1.3.
•F5 published IoCs including suspicious files at /run/bigtlog.pipe, hash mismatches in /usr/bin/umount and /usr/sbin/httpd, and audit log entries showing local users accessing the iControl REST API to disable SELinux.
•Webshells were observed operating in memory only, making file-based detection unreliable.
•

FCEB agencies were given a deadline of March 30, 2026 to apply patches; active scanning of the /mgmt/shared/identified-devices/config/device-info endpoint has been observed.

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture