F5 BIG-IP APM, unauthenticated remote code execution via crafted access-policy traffic

Overview

CVE-2025-53521 is a critical stack-based buffer overflow in F5 BIG-IP Access Policy Manager (APM). When an APM access policy is bound to a virtual server, specially crafted traffic reaching the access-policy daemon can lead to unauthenticated remote code execution. F5 originally published the issue in October 2025 as a denial-of-service problem, then reclassified it as remote code execution in March 2026 after exploitation and post-compromise malware activity were observed against exposed devices. F5 scores it CVSS 4.0 9.3 (and CVSS 3.1 9.8); NVD has not yet provided its own assessment, so these are the authoritative CNA scores. CISA added it to the Known Exploited Vulnerabilities catalog on 27 March 2026.

Technical Details

The flaw is a stack-based buffer overflow (CWE-121) in apmd, the daemon that processes live access-policy traffic on the data plane. When a virtual server has an APM access policy applied, the daemon parses incoming request data; a crafted message overruns a fixed-size stack buffer, corrupting saved control data and allowing an attacker to redirect execution. Because the vulnerable code path is exercised by data-plane traffic rather than the management interface, any internet-facing virtual server with an APM policy is exploitable without credentials. Tens of thousands of exposed BIG-IP APM instances were reported during the 2026 exploitation wave.

Impact

• Unauthenticated remote code execution on the BIG-IP data plane
• Compromise of a device that brokers VPN, SSO and application access for the enterprise
• Theft of authentication material and access-policy configuration
• Deployment of post-compromise malware, as observed during active exploitation

Mitigation

1. Upgrade BIG-IP 17.5.x to 17.5.1.3 or later.
2. Upgrade BIG-IP 17.1.x to 17.1.3 or later.
3. Upgrade BIG-IP 16.1.x to 16.1.6.1 or later.
4. Upgrade BIG-IP 15.1.x to 15.1.10.8 or later.
5. Where patching must wait, restrict data-plane access to APM virtual servers and follow the mitigations in F5 article K000156741; software past End of Technical Support must be migrated to a supported, fixed release.

Detection

• CISA added CVE-2025-53521 to the KEV catalog on 27 March 2026 with a remediation due date of 30 March 2026.
• Confirm which virtual servers have an APM access policy applied, as only those configurations are exploitable.
• Inspect BIG-IP for unexpected apmd crashes or restarts and for unknown processes or files indicative of post-compromise malware.
• Because exploitation has been confirmed in the wild, treat any exposed and unpatched APM instance as potentially compromised and rotate credentials and certificates handled by the device after patching.