**F5** customers are facing a critical situation as a remote code execution (RCE) vulnerability in **BIG-IP APM** is being actively exploited. Internet threat-monitoring non-profit **Shadowserver** has identified over 14,000 **BIG-IP APM** instances exposed online amidst ongoing attacks targeting **CVE-2025-53521**. ### What is BIG-IP APM? **BIG-IP APM** (Access Policy Manager) is **F5**'s centralized access management proxy solution. It's designed to help administrators secure access to their organization's networks, cloud environments, applications, and APIs. ### CVE-2025-53521: From DoS to RCE The five-month-old flaw, tracked as **CVE-2025-53521**, was initially disclosed in October as a denial-of-service (DoS) vulnerability. However, it was reclassified as an RCE bug following new information obtained in March 2026. "Due to new information obtained in March 2026, the original vulnerability is being re-categorized to an RCE. The original **CVE** remediation has been validated to address the RCE in the fixed versions. We have learned that this vulnerability has been exploited in the vulnerable **BIG-IP** versions," **F5** warned in a recent advisory update. Attackers can leverage this vulnerability to gain remote code execution on unpatched **BIG-IP APM** systems with access policies configured on a virtual server, without requiring any privileges. ### Scale of Exposure While the exact number of vulnerable **BIG-IP APM** instances exposed online remains unknown, **Shadowserver** reports tracking over 17,100 IPs with **BIG-IP APM** fingerprints.  According to **Shadowserver**'s data, more than 14,000 **BIG-IP APM** systems are still exposed to **CVE-2025-53521** attacks. This is despite the U.S. **Cybersecurity and Infrastructure Security Agency (CISA)** ordering federal agencies to secure their **BIG-IP APM** systems by Monday night, following the addition of the vulnerability to its list of actively exploited flaws. ### F5's Recommendations and Indicators of Compromise **F5** has published indicators of compromise (IOCs) and advises defenders to thoroughly check the disks, logs, and terminal history of **BIG-IP** devices for signs of malicious activity. They also provide guidance on post-compromise measures, including rebuilding affected systems from scratch. "If customers do not know exactly when the system was compromised, user configuration set (UCS) backups may have been created after the compromise occurred," the company stated. "**F5** strongly recommends that customers rebuild the configuration from a known good source because UCS files from compromised systems can contain persistent malware." ### A Recurring Target **F5**, a Fortune 500 technology company, provides cybersecurity, application delivery networking (ADN), and other services to over 23,000 customers, including 48 Fortune 50 companies. In recent years, **BIG-IP** vulnerabilities have been consistently targeted by both nation-state actors and cybercrime groups for various malicious purposes, including: * Breaching corporate networks * Hijacking devices * Deploying data-wiping malware * Mapping internal servers * Stealing sensitive data