PT-2025-42325 · F5 · F5 Big-Ip Apm

Published

2025-10-15

·

Updated

2026-06-11

·

CVE-2025-53521

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions F5 BIG-IP versions prior to 17.5.1.3 F5 BIG-IP versions prior to 17.1.3 F5 BIG-IP versions prior to 16.1.6.1 F5 BIG-IP versions prior to 15.1.10.8
Description An unauthenticated Remote Code Execution (RCE) exists in the F5 BIG-IP Access Policy Manager (APM) when an access policy is configured on a virtual server. The issue stems from insecure deserialization and improper memory bounds checking within the apmd process (the engine processing live traffic for access policies) during the initial SSL/TLS handshake. Attackers can send a specific sequence of non-standard HTTP headers, known as a "Glint" payload, to trigger a heap buffer overflow—a condition where data exceeds its allocated memory buffer—allowing the attacker to overwrite the instruction pointer and gain root shell access. This can lead to full system compromise, interception of decrypted traffic, theft of MFA session tokens, and the deployment of persistent backdoors such as the Brickstorm malware, which modifies the sys-eicheck integrity component to survive reboots. Over 14,000 internet-exposed instances have been identified worldwide, with active scanning and exploitation reported. Successful exploitation allows for credential theft, lateral movement into internal networks, and data exfiltration.
Recommendations Upgrade to versions 17.5.1.3, 17.1.3, 16.1.6.1, or 15.1.10.8 as applicable. If compromise is suspected, rebuild systems from known-good images and do not restore from UCS backups created after the potential compromise. Restrict or block public internet access to management and administration interfaces using firewalls or ACLs. Rotate all credentials, session tokens, and certificates stored on the affected devices. Audit disks, logs, and terminal history for indicators of compromise, specifically checking for mismatched hashes on /usr/bin/umount and /usr/sbin/httpd, the presence of /run/bigtlog.pipe, and unauthorized files in /shared/bin/ or /usr/bin/sys-eicheck. Enforce Multi-Factor Authentication (MFA) for all administrative accounts. As a temporary mitigation, disable the APM if it is not required or restrict access to the virtual servers with active APM policies.

Fix

LPE

RCE

DoS

Stack Overflow

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-53521

Affected Products

F5 Big-Ip Apm