Signal

CISA adds critical F5 BIG-IP APM vulnerability CVE-2025-53521 to known exploited catalog amid active attacks

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-03-28 07:07 UTCUpdated 2026-03-28 11:48 UTC

redditrss

cveexploitsincident_responsesecurity_advisorythreat_actors

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (3)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

Attackers are exploiting RCE vulnerability in BIG-IP APM systems (CVE-2025-53521)

Help Net Security · News · helpnetsecurity.com · 2026-03-28 09:02 UTC

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

The Hacker News · News · thehackernews.com · 2026-03-28 07:07 UTC

limited source diversity in top sources

View all evidence

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53521, a critical remote code execution vulnerability in F5 BIG-IP Access Policy Manager (APM), to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation.

Entities

F5U.S. Cybersecurity and Infrastructure Security Agency (CISA)

Score total

1.56

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

CISA’s recent KEV addition signals ongoing active exploitation and elevated threat activity.
F5’s updated advisories and published indicators of compromise aid defenders in real-time response.
The vulnerability’s high severity score underscores the need for immediate patching and monitoring.

Why it matters

The vulnerability allows unauthenticated remote code execution, posing severe risk to organizations using F5 BIG-IP APM.
Active exploitation by sophisticated threat actors increases urgency for mitigation and detection.
CISA’s KEV listing highlights the criticality and widespread impact of this vulnerability.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: high

Recurring claims

CVE-2025-53521 is a critical unauthenticated remote code execution vulnerability in F5 BIG-IP APM actively exploited by threat actors.
CISA has added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog following active exploitation evidence.
F5 confirmed a data breach in October 2025 involving a sophisticated nation-state threat actor related to this vulnerability.

How sources frame it

Help Net Security: neutral
The Hacker News: neutral

All evidence

K000156741: F5 BIG-IP APM vulnerability CVE-2025-53521 - from October - K000160486: Indicators of Compromise for c05d5254 from March

blueteamsec · my.f5.com · 2026-03-28 11:48 UTC

Attackers are exploiting RCE vulnerability in BIG-IP APM systems (CVE-2025-53521)

Help Net Security · helpnetsecurity.com · 2026-03-28 09:02 UTC

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

The Hacker News · thehackernews.com · 2026-03-28 07:07 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 3Origin domains: 3Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 3 / 0

Top publishers (this list)

blueteamsec (1)
Help Net Security (1)
The Hacker News (1)

Top origin domains (this list)

my.f5.com (1)
helpnetsecurity.com (1)
thehackernews.com (1)