Summary

A critical vulnerability, identified as CVE-2025-53521, has been added to the Known Exploited Vulnerabilities (KEV) catalog by CISA.

This vulnerability affects the versions of F5 Networks' F5 BIG-IP Access Policy Manager (APM), allowing unauthenticated attackers to perform remote code execution. This vulnerability has been exploited. Therefore, immediate attention and action are required to mitigate potential risks.

Affected Systems and/or Applications

• 17.x: 17.5.0 - 17.5.1 and 17.1.0 - 17.1.2
• 16.x: 16.1.0 - 16.1.6
• 15.x: 15.1.0 - 15.1.10

For further details, see Referenced F5 Networks Security Advisory K000160486.

Technical Details

The vulnerability is classified as CWE-770: Allocation of Resources Without Limits or Throttling, which occurs when a system does not properly restrict the amount of resources that can be consumed by a request or process.

In this case, when a BIG-IP Access Policy Manager (APM) access policy is configured on a virtual server, the system fails to enforce proper limits on resource allocation during request processing. An attacker can send specially crafted or malicious traffic that triggers excessive resource consumption within the affected component.

This uncontrolled resource allocation can be leveraged to: - Exhaust system resources, impacting availability - Manipulate internal processing behavior - Ultimately achieve Remote Code Execution (RCE) under certain conditions

The issue is particularly critical because: - It can be triggered via network-based access to the affected service - It does not require authentication in some configurations - It impacts systems exposing APM functionality on virtual servers

Successful exploitation depends on the presence of a vulnerable APM configuration and the ability of the attacker to deliver crafted requests that abuse the lack of resource throttling controls.

IOcs

F5 published a number of indicators that can be used to assess if the system has been compromised. These are as below:

Files on disk

• Presence of /run/bigtlog.pipe and/or /run/bigstart.ltm.
• Mismatch of file hashes when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd.
• Mismatch of file sizes or timestamps when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd.
• Each release and EHF may have different file sizes and timestamps.

Log entries

• /var/log/restjavad-audit.<NUMBER>.log [ForwarderPassThroughWorker{"user":"local/f5hubblelcdadmin","method":"POST","uri":"http://localhost:8100/mgmt/tm/util/bash","status":200,"from":"Unknown"}:

This entry shows a local user accessing the iControl REST API from localhost. - /var/log/auditd/audit.log.<NUMBER> msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

This entry shows a local user accessing the iControl REST API from localhost to disable SELinux.

• /var/log/audit user=f5hubblelcdadmin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash <VARIABLE_COMMAND>

These log messages show an echo of Base64-encoded data written into a file and the execution of /run/bigstart.ltm. This entry shows an example of a command being run in the audit log, correlated to the iControl REST request above.

TTPs observed include

You may observe HTTP/S traffic from the BIG-IP system that contains HTTP 201 response codes and CSS content-type to disguise the attacker’s activities. Changes to the following files might signal a potential compromise; however, their presence alone does not indicate a security issue: /var/sam/www/webtop/renderer/apm_css.php3 /var/sam/www/webtop/renderer/full_wt.php3 /var/sam/www/webtop/renderer/webtop_popup_css.php3

Mitigation

• Upgrade
  eliminate this vulnerability by installing a version of the released fixes as below:

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation and analyzing the case to identify potential threat-hunting campaigns. This advisory will be updated if required.

References

• F5 Networks Security Advisory: K000160486
• CISA KEV Catalog Update: CVE-2025-53521
• CWE-770: Allocation of Resources Without Limits or Throttling
• Indicators of Compromise