F5 BIG-IP Vulnerability Reclassified as RCE, Under Exploitation
Summary
F5 has re-categorised CVE-2025-53521 — originally disclosed in October as a high-severity denial-of-service issue — as a remote code execution (RCE) flaw with a 9.8 CVSS score after new information emerged in March 2026. The vendor warns the bug is being actively exploited in the wild and has published updated advisories and indicators of compromise (IoCs).
The flaw affects BIG‑IP AMP across multiple versions (15.1.x, 16.1.x, 17.1.x and 17.5.x ranges). Exploitation can occur when an attacker sends specific malicious traffic to virtual servers running BIG‑IP AMP, allowing RCE. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue, and security vendors have observed scanning and exploitation attempts targeting a REST API endpoint used for device identification.
Key Points
- CVE-2025-53521 was re-categorised from DoS to RCE by F5 after new information surfaced; CVSS 9.8.
- F5 confirmed active exploitation in the wild and published IoCs and mitigation guidance.
- Affected BIG‑IP AMP versions include 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6, and 15.1.0–15.1.10.
- CISA added the flaw to its KEV catalogue, prompting increased scanning and attack activity.
- Observed IoCs include malicious payload c05d5254, files such as /run/bigtlog.pipe and /run/bigstart.ltm, and mismatches for /usr/bin/umount and /usr/sbin/httpd.
- Defused and other vendors reported scanning hitting /mgmt/shared/identified-devices/config/device-info — a BIG‑IP REST endpoint for system info.
- F5 advises customers to upgrade to fixed versions and review systems for signs of compromise; appliance mode does not mitigate the vulnerability.
Context and relevance
This is a high-risk infrastructure vulnerability affecting widely used BIG‑IP appliances — devices that sit at the network edge and often handle SSL termination, access policies and traffic management. RCE on these systems can lead to persistent backdoors, data theft, or lateral movement into internal networks. Inclusion in CISA’s KEV catalogue accelerates attention from both defenders and opportunistic attackers, so the window for prompt remediation is short.
For security teams, this sits alongside a trend of increased focus on F5 products by diverse threat actors, including nation-state groups and mass-exploit scanners. Organisations running BIG‑IP should treat this as an urgent patch-and-hunt task: apply vendor updates, monitor for the published IoCs, and audit management-plane access and logs.
Why should I read this?
Short version: if you run BIG‑IP, this is one you need to know about right now. We skimmed the coverage so you don’t have to — patch, hunt for the IoCs, and lock down management access. If you skip it, expect noisy scanning and potential RCE attempts to show up in your logs.
Author’s take
Punchy and plain: this moved from “annoying DoS” to “full RCE” — that’s a game changer. F5 kit often sits where it hurts most; treat the advisory as a priority incident. The article is essential reading for ops and incident response teams who need the IoCs and upgrade guidance to act fast.
Actionable next steps
- Upgrade BIG‑IP AMP to the fixed versions recommended by F5 immediately.
- Search for the IoCs (c05d5254, /run/bigtlog.pipe, /run/bigstart.ltm) and check for tampered /usr/bin/umount and /usr/sbin/httpd files.
- Monitor and block suspicious requests to /mgmt/shared/identified-devices/config/device-info and other management endpoints.
- Hunt for unusual processes, network connections and recent changes to system binaries and timestamps.
- Restrict management-plane access and review appliance-mode assumptions — appliances remain vulnerable.