CVE-2025-53521

Name of the Vulnerable Software and Affected Versions F5 BIG-IP APM versions 15.1.0 through 17.5.1

Description A vulnerability exists in F5 BIG-IP APM that, when an access policy is configured on a virtual server, can lead to Remote Code Execution (RCE). This issue was initially reported as a denial-of-service vulnerability but has been reclassified as a critical RCE with a CVSS score of 9.8. Active exploitation of this vulnerability is ongoing, with attackers deploying webshells on unpatched devices. The vulnerability allows unauthenticated attackers to execute code on affected systems. Attackers are targeting the /mgmt/shared/identified-devices/config/device-info REST API endpoint to gather system information. Over 240,000 instances are reported as exposed online. The exploitation of this vulnerability has been linked to the Brickstorm malware, which modifies system components to maintain persistence.

Recommendations Apply the latest available hotfix for F5 BIG-IP APM versions 15.1.0 through 17.5.1. Format the inactive partition before installing the new software to ensure no residual malicious files remain. Search for indicators of compromise, including unauthorized files in /shared/bin/ or /usr/bin/sys-eicheck, and unusual log entries related to SELinux.