F5 BIG-IP Vulnerability Reclassified as RCE, Under Exploitation
Summary
F5 has reclassified CVE-2025-53521 — first disclosed in October as a high-severity denial-of-service issue — as a remote code execution (RCE) vulnerability with a CVSS score of 9.8. New information obtained in March 2026 led to the change. F5 warns the flaw is being actively exploited in the wild and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalogue. The vulnerability affects BIG-IP AMP across multiple release lines; appliance mode does not mitigate the risk. F5 has published indicators of compromise (IoCs) linked to a malicious payload tracked as c05d5254, and security researchers report increased scanning and fingerprinting activity against BIG-IP REST endpoints.
Key Points
- CVE-2025-53521 was reclassified from DoS to RCE in March 2026 and now carries a 9.8 CVSS score.
- F5 reports active exploitation; CISA added the flaw to its KEV catalogue, prompting wider scanning and attacks.
- Vulnerable BIG-IP AMP versions include 17.5.0–17.5.1, 17.1.0–17.1.2, 16.1.0–16.1.6 and 15.1.0–15.1.10; appliance mode remains vulnerable.
- Exploitation can be triggered by sending crafted traffic to virtual servers using BIG-IP AMP, allowing remote code execution.
- F5 published IoCs (files such as /run/bigtlog.pipe, /run/bigstart.ltm and modified /usr/bin/umount or /usr/sbin/httpd, plus log artefacts) and guidance to upgrade to fixed versions.
- Security firms observed increased scanning hitting the /mgmt/shared/identified-devices/config/device-info REST endpoint and evolving payload variants — suggesting multiple actors mapping F5 infrastructure.
- Organisations should patch immediately, review logs and IoCs, and hunt for signs of the c05d5254 payload or other anomalies on BIG-IP devices.
Context and Relevance
This is a high-impact story for anyone running F5 BIG-IP appliances or managing network/perimeter services. BIG-IP is widely deployed in enterprise environments, and an RCE on these devices can give attackers deep access to traffic and management planes. The reclassification to RCE and confirmation of exploitation significantly raises urgency: it’s not just a denial-of-service nuisance any more, it’s a pathway for persistent compromise and lateral movement. The incident also fits a pattern of persistent targeting of F5 products — including last year’s supply-chain / source-code incident — so defenders should treat BIG-IP hardening and monitoring as a priority.
Why should I read this?
Short version: patch now, check your BIG-IP boxes, and don’t assume appliance mode saves you. If you run F5 gear, this is urgent. We’ve cut the waffle — you need to know the versions affected, the IoCs to hunt for, and that CISA has flagged it. If you manage networks, this could be the thing that keeps you up at night unless you act fast.