CVE-2025-53521

Name of the Vulnerable Software and Affected Versions F5 BIG-IP APM versions 15.1.0 through 15.1.10 F5 BIG-IP APM versions 16.1.0 through 16.1.6 F5 BIG-IP APM versions 17.1.0 through 17.1.2 F5 BIG-IP APM versions 17.5.0 through 17.5.1 F5 BIG-IP APM versions prior to 21.0.0

Description An unauthenticated remote code execution (RCE) issue exists in F5 BIG-IP Access Policy Manager (APM) when an access policy is configured on a virtual server. The flaw is caused by a stack-based buffer overflow in the apmd process due to insecure deserialization and improper memory bounds checking during the initial SSL/TLS handshake. Attackers can send specially crafted malicious traffic, such as a sequence of non-standard HTTP headers, to overwrite the instruction pointer and gain root access to the appliance. This allows for full device takeover, deployment of in-memory or on-disk webshells, and the ability to intercept decrypted traffic or steal MFA session tokens.

Approximately 14,000 to 17,100 internet-exposed devices have been identified worldwide. Real-world exploitation has been observed, including the deployment of the Brickstorm malware, which modifies the sys-eicheck integrity component to maintain persistence across reboots and patches. Attackers have also been observed targeting the REST API endpoint '/mgmt/shared/identified-devices/config/device-info' for reconnaissance to retrieve system-level information such as hostname and machine ID.

Recommendations Upgrade F5 BIG-IP APM to versions 15.1.10.8, 16.1.6.1, 17.1.3, 17.5.1.3, or 21.0.0. As a temporary mitigation, isolate or restrict internet-facing management and APM interfaces using firewalls or ACLs. Perform forensic audits of disks, logs, and terminal history for indicators of compromise, such as unauthorized files in /shared/bin/ or modifications to /usr/bin/sys-eicheck. Rebuild compromised appliances from known-good images; do not restore from UCS backups as they may contain persistent malware. Rotate all credentials, keys, and certificates stored on affected devices. Restrict access to the API endpoint '/mgmt/shared/identified-devices/config/device-info' to minimize reconnaissance risks.