03/04/2026

Week 14 – Cracked Open: A Critical F5 Flaw Hiding Inside the Easter Egg

30 Mar – 05 Apr 2026

Our CVE of the Week is about BigIP APM which consolidates remote, mobile, network, virtual, and web access.

With BIG-IP APM, you can create, enforce, and centralize simple, dynamic, intelligent application access policies for all of your apps, regardless of where or how they are hosted.

Critical vulnerability has been found with the CVSS score of 9.3 in CVE-2025-53521, which is being exploited by unauthenticated remote threat actors to deploy web shells. The flaw arises from improper handling of crafted traffic in the APM component when an access policy is attached to a virtual server.
Further details on exploitation remain limited.

Why is it critical

Since the attack vector is on the network, it does not require user interaction and a webshell could have been deployed on the targeted server.

Important to mention that the attackers actively exploiting the following versions:

  • 17.5.0 – 17.5.1
  • 17.1.0 – 17.1.2
  • 16.1.0 – 16.1.6
  • 15.1.0 – 15.1.10

You may wonder how could you protect your environment

Make sure to check out the F5 website and follow the instructions provided by F5 to determine if your release is known to be vulnerable.

For more information:
https://my.f5.com/manage/s/article/K000156741

F5 BIG-IP Vuln Reclassified as RCE, Under Exploitation

Happy Easter and see you next week!

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.

Author:
Filed Under: CVE of the Week
Tags: , , , ,