F5 BIG‑IP exploits active

F5 reclassified the OCT 15, 2025 BIG‑IP APM flaw (CVE‑2025‑53521) from a DoS to an unauthenticated remote‑code‑execution issue and assigned CVSS v3.1=9.8 / v4.0=9.3 during an advisory update on Mar 29, 2026. (my.f5.com) The U.S. Cybersecurity and Infrastructure Security Agency added CVE‑2025‑53521 to its Known Exploited Vulnerabilities catalog on Mar 27, 2026 and invoked BOD 22‑01 timing that required federal civilian agencies to apply mitigations by Mar 30, 2026. (cisa.gov) F5 confirmed the vendor has observed the vulnerability exploited in the wild and referenced an indicators‑of‑compromise package (K000160486) to check for a tracked implant (c05d5254) on systems upgraded from vulnerable releases. (my.f5.com) Multiple incident responders and vendors reported active exploitation activity, including webshell deployment on unpatched BIG‑IP APM instances observed in real‑world attacks beginning in late March 2026. (bleepingcomputer.com) The flaw only affects BIG‑IP systems when an APM access policy is bound to a virtual server, is a data‑plane (TMM) issue rather than a control‑plane exposure, and F5 lists fixed versions and hotfix guidance in the advisory and iHealth‑based diagnostics. (my.f5.com) Healthcare and other critical‑sector operators have circulated urgent notices about the exploit after CISA’s KEV entry, with industry alerts and security vendors specifically calling out defense and healthcare targets in observed campaigns. (aha.org / redsheepsec.com) F5’s advisory, CISA’s KEV entry, and multiple security vendors all recommend immediate application of the vendor‑provided fixes or approved mitigations and post‑patch checks for the c05d5254 indicator on any upgraded or still‑vulnerable systems. (my.f5.com / cisa.gov)