The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a new flaw in F5 BIG-IP systems to its Known Exploited Vulnerabilities (KEV) list. They warned that this flaw is being used in real-world attacks.
The vulnarability, known as CVE-2025-53521, was officially noted on March 27, 2026, and federal agencies must fix it by March 30, 2026.
CVE-2025-53521 is described as an unspecified vulnerability within F5 BIG-IP Access Policy Manager (APM) that could allow remote code execution (RCE).
F5 BIG-IP Vulnerability Exploited
CISA added the vulnerability to the KEV catalog, meaning that attackers are using it already. There isn’t any proof connecting this flaw to ransomware yet, but the agency pointed out that flaws that allow RCE are often used in attacks afterward, like moving around networks and stealing data.
CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to use vendor fixes right away or stop using affected systems if there are no patches or workarounds.
The directive falls under Binding Operational Directive (BOD) 22-01, which mandates the rapid remediation of vulnerabilities listed in the KEV catalog.
F5 has unveiled guidelines to fix the problem, and companies should quickly follow the official steps to reduce risk. Security teams need to check logs and watch for signs of a breach, especially strange admin actions or unauthorized changes in BIG-IP systems.
The quick addition of CVE-2025-53521 to the KEV list shows that attackers are still going after edge devices and network parts.
These systems are often at important points in businesses, making them valuable targets for getting in and staying in. Organizations that use F5 BIG-IP products should treat this vulnerability as a serious threat and take action right away to reduce possible harm.
InfoSecBulletin Cybersecurity for mankind
