Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks

Internet threat-monitoring non-profit organization Shadowserver has reported that there are over 14,000 BIG-IP APM instances currently accessible online, which are vulnerable to a critical remote code execution (RCE) flaw that continues to expose organizations to potential cyber threats.

Overview of BIG-IP APM
BIG-IP APM (Access Policy Manager) is a centralized access management proxy solution developed by F5, designed specifically to assist administrators in securing access to their organization's networks, cloud environments, applications, and APIs.

This vulnerability, tracked as CVE-2025-53521, which is less than five months old, was initially disclosed in October as a denial-of-service (DoS) vulnerability but was reclassified to an RCE flaw over the recent weekend. F5 has clarified that this reclassification is due to newly acquired information in March 2026 that confirmed exploitation attempts on vulnerable versions of BIG-IP.

Malicious actors without any privileges are leveraging this vulnerability to execute remote code on unpatched systems with weak configurations. Currently, Shadowserver has identified more than 17,100 IP addresses associated with BIG-IP APM instances.

CISA Directive
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies expedite the securing of their BIG-IP APM systems, as this vulnerability has now been listed among actively exploited security flaws.

F5 has released indicators of compromise (IOCs) and has urged organizations to inspect their devices for evidence of malicious activities. Additionally, the company recommends that affected systems be rebuilt from a known clean source rather than relying on user configuration backups, which may already be at risk of compromise.

As a leading Fortune 500 technology company, F5 delivers cybersecurity and application delivery networking services to a customer base of over 23,000, including 48 of the top 50 Fortune companies. Historically, vulnerabilities within BIG-IP have attracted the interest of both state-sponsored groups and cybercriminal organizations, which have exploited them to infiltrate corporate networks, hijack devices, deploy malware, and exfiltrate sensitive information.