Overview
This vulnerability exists in the data plane of BIG-IP systems where the APM module is active. It allows a remote, unauthenticated attacker to send specially crafted malicious traffic to a virtual server configured with an APM access policy. This triggers an execution path in the apmd process, leading to arbitrary code execution with root-level privileges.
Impact and Risk Assessment
Risk Level: Critical
CVSS Score: 9.8 (CVSS v3.1)
CVSS Score: 9.3 (CVSS v4.0)
This vulnerability has recently undergone a major reassessment. Originally disclosed in October 2025 as a Denial-of-Service (DoS) issue, it was reclassified in March 2026 following evidence of active exploitation for full system compromise.
Reasons: Attackers do not need valid credentials to take over the device.
BIG-IP APM typically sits at the edge of the network as a gateway for VPNs and SSO, making it a “crown jewel” target. Using this flaw, “memory-only” web shells are deployed that evade traditional disk-based detection.
Because it was initially labeled a DoS (7.5), many organizations may have delayed patching, leaving them exposed for months.
Impact
Attackers gain root access to the underlying Linux operating system with the ability to dump active session tokens and intercept authentication traffic (SSO/VPN).
The BIG-IP becomes a pivot point to move deeper into internal network segments (e.g., targeting vCenter or ESXi servers).
Threat actors modify system integrity checkers and startup scripts to maintain access.
Vulnerability Details
The flaw (mapped to CWE-770: Allocation of Resources Without Limits or Throttling) involves improper handling of specific requests within the apmd process.
Malicious traffic is sent to a virtual server where an Access Profile is attached. This is strictly a data plane issue. The control plane (management interface) is not directly exposed by this specific CVE, though a compromised data plane can lead to management takeover.
Affected Products and Systems:
- BIG-IP 17.5
- BIG-IP 17.1
- BIG-IP 16.1
- BIG-IP 15.1
Affected Versions:
- 17.5.0 – 17.5.1
- 17.1.0 – 17.1.2
- 16.1.0 – 16.1.6
- 15.1.0 – 15.1.10
Attack Vector and Exploitation Scenario
Attackers scan for internet-facing BIG-IP instances with APM enabled. A crafted HTTP request is sent to the APM-enabled virtual server. The apmd process misinterprets the request, allowing the attacker to escape the restricted environment and execute shell commands. A webshell (often named c05d5254 in recent reports) is deployed to facilitate command-and-control.
MITRE ATT&CK Mapping (CVE-2025-53521)
| Tactic | Technique ID | Technique Name | Observed Behavior in CVE-2025-53521 |
| Initial Access | T1190 | Exploit Public-Facing Application | Exploitation of the apmd process via crafted HTTP requests to the APM data plane. |
| Execution | T1059.004 | Command & Scripting Interpreter: Unix Shell | Attacker gains a root shell to execute arbitrary Linux commands on the appliance. |
| Persistence | T1505.003 | Server Software Component: Web Shell | Deployment of memory-only webshells (e.g., the c05d5254 IOC) to maintain access without writing to disk. |
| Persistence | T1136.001 | Create Account: Local Account | Creation of unauthorized administrative or SSH users to bypass future authentication. |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | Direct modification of sys-eicheck (the BIG-IP system integrity checker) to hide malicious files. |
| Defense Evasion | T1027.002 | Obfuscated Files or Information: Software Packing | Use of Go-based malware (Junction/BrickStorm) often packed or obfuscated to evade signature-based EDR. |
| Credential Access | T1555 | Credentials from Password Stores | Exfiltration of active session tokens and stored credentials from the Access Policy Manager. |
| Command & Control | T1090 | Proxy | Using the BIG-IP as a proxy to tunnel traffic into the internal network (Lateral Movement). |
Exploit Status
- In-the-Wild Exploitation: Confirmed by F5 and CISA.
- Public PoC: While full exploit code is guarded, technical details regarding the trigger are widely circulating in the research community.
- Weaponization: Integrated into advanced persistent threat (APT) toolsets, including the “Junction” malware family.
Operational Implication
If a system was compromised before the patch, the attacker may have already moved laterally or established persistence. Organizations must treat this as a potential breach event rather than a routine update.
Mitigation and Recommendations
1. Apply the fixed versions listed below as per release.
- 17.5.1.3
- 17.1.3
- 16.1.6.1
- 15.1.10.8
2. Disable APM access profiles on virtual servers that do not require external access.
3. If compromise is suspected, F5 recommends rebuilding the system from scratch rather than restoring from a UCS backup, as backups may contain persistent malware.
4. Rotate all administrative passwords and API keys stored on the device.
Detection and Monitoring Guidance
- Monitor for the presence of /run/bigtlog.pipe or /run/bigstart.ltm.
- Watch for restjavad-audit logs showing POST requests to /mgmt/tm/util/bash originating from localhost (127.0.0.1).
- Look for outbound HTTPS traffic with a Content-Type: text/css that returns an HTTP 201 Created response—this is a known camouflage technique used by the exploit.
- Alert on apmd spawning unexpected child processes (e.g., sh, bash, python).
References
https://eclypsium.com/blog/f5-big-ip-cve-2025-53251
https://my.f5.com/manage/s/article/K000156741
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://socradar.io/blog/cve-2025-53521-f5-big-ip-apm-flaw-rce
https://hadrian.io/blog/f5-big-ip-apm-remote-code-execution-cve-2025-53521-active-exploitation