Internet threat-monitoring non-profit Shadowserver has found over 14,000 BIG-IP APM instances exposed online amid ongoing attacks exploiting a critical-severity remote code execution (RCE) vulnerability.
BIG-IP APM (short for Access Policy Manager) is F5’s centralized access management proxy solution designed to help admins secure access to their organizations’ networks, cloud, applications, and application programming interfaces (APIs).
This 5-month-old flaw (tracked as CVE-2025-53521) was disclosed in October as a denial-of-service (DoS) vulnerability and was reclassified as an RCE bug over the weekend.
“Due to new information obtained in March 2026, the original vulnerability is being re-categorized to an RCE. The original CVE remediation has been validated to address the RCE in the fixed versions. We have learned that this vulnerability has been exploited in the vulnerable BIG-IP versions,” F5 warned in a Sunday advisory update.
Attackers without privileges are exploiting this security issue to gain remote code execution on unpatched BIG-IP APM systems with access policies configured on a virtual server.
While there is no information on how many BIG-IP APM instances exposed on the Internet have a vulnerable configuration, Internet threat-monitoring non-profit Shadowserver said on Wednesday that it now tracks over 17,100 IPs with BIG-IP APM fingerprints.
​More than 14,000 BIG-IP APM systems remain exposed to CVE-2025-53521 attacks according to Shadowserver’s data, even though the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure their BIG-IP APM systems by midnight on Monday (after adding the vulnerability to its list of actively exploited flaws on Friday).
F5 has also shared published indicators of compromise (IOCs) and advised defenders to check the disks, logs, and terminal history of BIG-IP devices for signs of malicious activity. It also provides guidance on the measures to take after detecting evidence of compromise, including rebuilding the affected systems from scratch.
“If customers do not know exactly when the system was compromised, user configuration set (UCS) backups may have been created after the compromise occurred,” the company said.
“F5 strongly recommends that customers rebuild the configuration from a known good source because UCS files from compromised systems can contain persistent malware.”
As a Fortune 500 technology giant, F5 provides cybersecurity, application delivery networking (ADN), and other services to over 23,000 customers, including 48 Fortune 50 companies.
In recent years, BIG-IP vulnerabilities have been targeted by both nation-state and cybercrime threat groups to breach corporate networks, hijack devices, deploy data-wiping malware, map internal servers, and steal sensitive data.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
