Network Security, Firewalls, Routers, Vulnerability Management, Patch/Configuration Management, Government security

F5 BIG-IP APM DoS bug exploited as an RCE, added to CISA list

DoS Attack

F5 Networks on March 28 reclassified a high-severity BIG-IP APM denial-of-service (DoS) flaw from October 2025 to a critical remote code execution (RCE) bug that security pros say warrants attention because too many teams never prioritized it.

Because of the threat to organizations that might have not patched last fall — and the fact that it’s now being exploited in the wild — the Cybersecurity and Infrastructure Agency (CISA) put CVE-2025-53521 on its Known Exploited Vulnerabilities (KEV) catalog.

“Any organization that may have deprioritized the vulnerability because it was ‘only a DoS’ issue may have inadvertently placed themselves at higher risk,” said Ben Ronallo, principal cybersecurity engineer at Black Duck. “Those organizations need to immediately patch systems, review F5's published indicators of compromise (IOCs), and activate their incident response plans.”

Matan Shavit, general manager of North America at Hadrian, said the real danger with this F5 BIG-IP vulnerability isn't just that it's critical now: it's that it wasn't critical when most organizations decided whether to patch it.

When CVE-2025-53521 first appeared last October, it was classified as a denial-of-service flaw with a CVSS score of 7.5. Shavit said plenty of security teams weighed it against a full backlog and made a reasonable call to deprioritize it.

“The problem is that the vulnerability didn't stay a 7.5,” said Shavit. “It's now a 9.8 RCE flaw with confirmed active exploitation and a CISA KEV listing. Meaning the threat model changed completely, but any organization running on stale intelligence is still operating as if it didn't.”

Shavit said the real lesson from DDoS and DoS class vulnerabilities is that they target the perimeter: the infrastructure sitting in front of everything else. Shavit pointed out that F5 BIG-IP devices act as load balancers, firewalls, and application gateways — when attackers get into those systems, they're sitting at the control point for traffic flowing in and out of the entire environment.

“From there, the path to deeper access, lateral movement, and persistent compromise is much shorter than most organizations realize,” said Shavit. “The organizations that are most exposed right now are those whose patching decisions are based on a severity rating that no longer reflects reality. Threat intelligence goes stale fast. What was a manageable DoS risk in October is an unauthenticated RCE being actively exploited today. Security teams that haven’t re-evaluated this one in light of the reclassification, should make doing so an immediate priority."

Matthew Andriani, chief executive officer at MazeBolt, said team need to understand that this is now a software-level flaw in which crafted input crashes the system, a classic indicator of underlying memory corruption and potential RCE, meaning an attacker could run malicious code on the device.

“Given this impacts a deep packet inspection (DPI) appliance that inspects and processes all network traffic in clear text and in-line, it should be treated as a critical risk with potential for full system compromise, not just service disruption,” said Andriani.

Shane Barney, chief information security officer at Keeper Security, added that this update by F5 reinforces a broader issue with edge and identity infrastructure: systems that manage access and authentication are high-value targets because they sit at a control point in the environment. Once compromised, Barney said they deliver a level of trusted access to attackers that’s difficult to detect and even harder to contain.

“In the current environment, organizations should expect overlapping activity,” Barney said. “Periods of geopolitical tension often bring increased DDoS traffic, but that activity can also create noise that obscures more targeted exploitation. These are not separate risks and should be evaluated together. The immediate priority is to apply patches and review for indicators of compromise. Where exploitation has been confirmed, organizations should validate system integrity rather than assume remediation alone is sufficient.”

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds