CISA Warns of F5 BIG-IP Vulnerability Actively Exploited in Attacks

What happened

A newly disclosed F5 BIG-IP vulnerability is being actively exploited in attacks, prompting CISA to add the issue to its Known Exploited Vulnerabilities catalog. The flaw, tracked as CVE-2025-53521, was listed on March 27, 2026 and affects F5 BIG-IP Access Policy Manager (APM). The article describes it as an unspecified vulnerability that could allow remote code execution. CISA said federal agencies must remediate the issue by March 30, 2026. The report also says F5 has issued guidance to address the flaw. While technical details remain limited, the article states that the vulnerability is already being leveraged in real-world attacks and that no confirmed attribution or ransomware link has been disclosed. 

Who is affected

The direct exposure affects organizations using F5 BIG-IP Access Policy Manager systems impacted by CVE-2025-53521. The article specifically notes concern because BIG-IP devices are widely deployed in enterprise and government networks. 

Why CISOs should care

This matters because the issue involves a potentially remote code execution path in widely deployed edge and traffic management infrastructure. It is also significant because CISA has already confirmed active exploitation and imposed a near-term remediation deadline for federal agencies. 

3 practical actions

1. Apply vendor mitigations immediately: Follow F5 guidance without delay to address CVE-2025-53521 in affected BIG-IP environments. 
2. Review for signs of compromise: Check logs for unusual administrative activity or unauthorized configuration changes within BIG-IP systems. 
3. Discontinue exposed use if needed: If patches or workarounds are unavailable, follow CISA’s direction for federal agencies to discontinue use of affected systems. 

For more news about security flaws under active exploitation, click Vulnerability to read more.