PT-2025-42325 · F5 · F5 Big-Ip Apm
Published
2025-10-15
·
Updated
2026-06-11
·
CVE-2025-53521
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
F5 BIG-IP versions prior to 17.5.1.3
F5 BIG-IP versions prior to 17.1.3
F5 BIG-IP versions prior to 16.1.6.1
F5 BIG-IP versions prior to 15.1.10.8
Description
An unauthenticated Remote Code Execution (RCE) exists in the F5 BIG-IP Access Policy Manager (APM) when an access policy is configured on a virtual server. The issue stems from insecure deserialization and improper memory bounds checking within the
apmd process (the engine processing live traffic for access policies) during the initial SSL/TLS handshake. Attackers can send a specific sequence of non-standard HTTP headers, known as a "Glint" payload, to trigger a heap buffer overflow—a condition where data exceeds its allocated memory buffer—allowing the attacker to overwrite the instruction pointer and gain root shell access. This can lead to full system compromise, interception of decrypted traffic, theft of MFA session tokens, and the deployment of persistent backdoors such as the Brickstorm malware, which modifies the sys-eicheck integrity component to survive reboots. Over 14,000 internet-exposed instances have been identified worldwide, with active scanning and exploitation reported. Successful exploitation allows for credential theft, lateral movement into internal networks, and data exfiltration.Recommendations
Upgrade to versions 17.5.1.3, 17.1.3, 16.1.6.1, or 15.1.10.8 as applicable.
If compromise is suspected, rebuild systems from known-good images and do not restore from UCS backups created after the potential compromise.
Restrict or block public internet access to management and administration interfaces using firewalls or ACLs.
Rotate all credentials, session tokens, and certificates stored on the affected devices.
Audit disks, logs, and terminal history for indicators of compromise, specifically checking for mismatched hashes on
/usr/bin/umount and /usr/sbin/httpd, the presence of /run/bigtlog.pipe, and unauthorized files in /shared/bin/ or /usr/bin/sys-eicheck.
Enforce Multi-Factor Authentication (MFA) for all administrative accounts.
As a temporary mitigation, disable the APM if it is not required or restrict access to the virtual servers with active APM policies.Fix
LPE
RCE
DoS
Stack Overflow
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
F5 Big-Ip Apm