Fix Soon
CVE-2025-53521
RCE in F5 BIG-IP APM Access Policy on Virtual Server
The BIG-IP APM component contains a remote code execution vulnerability when an Access Policy is configured on a virtual server. It can be exploited by unauthenticated network traffic to trigger code execution with high impact, potentially leading to full compromise of the BIG-IP appliance and disruption of services.
Last analyzed: Loading...
Type
RCE (Remote Code Execution)
Auth Required
No
PoC Available
NoACTIVE EXPLOITATION
Vendor
F5 Networks
Product
BIG-IP
Exposure
Internet-facing
Default Config
Not exploitable
CVSS Score
9.8
- Name
- RCE in F5 BIG-IP APM Access Policy on Virtual Server
- Summary
- The BIG-IP APM component contains a remote code execution vulnerability when an Access Policy is configured on a virtual server. It can be exploited by unauthenticated network traffic to trigger code execution with high impact, potentially leading to full compromise of the BIG-IP appliance and disruption of services.
- Vendor
- F5 Networks
- Product Name
- BIG-IP
- Product Description
- BIG-IP is F5 Networks' application delivery controller platform offering load balancing, application security, and access management features (APM).
- Affected Versions
- 16.1.0–16.1.6.1; 17.1.0–17.1.3; 17.5.0–17.5.1.3; 15.1.0–15.1.10.8
- Affected Component
- BIG-IP APM Access Policy on a virtual server (APM policy)
- Component URLs
- Not available
- Protocol
- HTTPS
- Ports
- 4438443
- Internet-facing Likelihood
- 70%
- Exposure Level
- Internet-facing
- Enterprise Usage
- 70%
- Type
- RCE (Remote Code Execution)
- Impact
- Remote code execution on the BIG-IP appliance, allowing attacker to execute arbitrary code, access sensitive data, and disrupt or take control of affected systems.
- Exploitation Description
- An unauthenticated attacker can send specially crafted traffic to a BIG-IP virtual server that has a configured APM access policy. The vulnerable pathway can cause the BIG-IP Traffic Management Microkernel (TMM) to execute code or crash, enabling remote command execution and full compromise of the appliance. The exploit requires no user interaction and can be executed remotely over network traffic.
- Detection Method
- No
- Detection Method Types
- Not available
- Detection Method URLs
- PoC Available
- No
- PoC URLs
- Not available
- Default Config Exploitable
- No
- Exploitation Requirements
- Unauthenticated remote access to a BIG-IP APM virtual server with a configured Access Policy; reachable over the network; crafted traffic to trigger the vulnerability; no user interaction required.
- Requirements Probability
- 40%
- Authentication Needed
- No
- CVE ID
- CVE-2025-53521
- Description
- When a BIG-IP APM Access Policy is configured on a virtual server, undisclosed traffic can cause TMM to terminate.
- CVSS Score
- 9.8
- Published
- Loading...
- Last Modified
- Loading...
- CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Attack Vector (AV)
- AV:N
- Attack Complexity (AC)
- AC:L
- Privileges Required (PR)
- PR:N
- User Interaction (UI)
- UI:N
- Scope (S)
- S:U
- Confidentiality (C)
- C:H
- Integrity (I)
- I:H
- Availability (A)
- A:H
- CWE
- CWE-770: Allocation of Resources Without Limits or Throttling
- CPE Configuration
- cpe:2.3:h:f5:big-ip:*:*:*:*:*:*:*:*cpe:2.3:a:f5:big-ip:*:*:*:*:*:*:*:*
- Version From
- 16.1.015.1.0
- Version UpTo
- 16.1.6.115.1.10.8
- Remediation Type
- updateworkaround
- Remediation Description
- Upgrade to patched versions and apply mitigations: for 17.x line, upgrade to 17.5.1 or later; for 17.1.x, upgrade to 17.1.3 or later; for 16.1.x, upgrade to 16.1.6.1 or later; for 15.1.x, upgrade to 15.1.10.8 or later. If upgrading is not possible, apply mitigations such as restricting access to APM endpoints, enabling rate limiting, and monitoring for TMM crashes; refer to vendor advisories for detailed steps.
- EPSS Score
- 0.11%
- EPSS Percentile
- Not available
- EPSS Last Updated
- Not available
- CISA KEV
- Yes
- CISA KEV Date Added
- Loading...
- Active Exploitation
- Yes
- Active Exploitation URLs
- Threat Actors
- Not available
- Threat Actors URLs
- Not available
- IOCs
- Not available
- Detection Rules
- Not available
- Threat Hunting URLs
- Not available