26.03.2026
2 min
222
Over 14,000 servers running F5 BIG-IP APM remain exposed to remote code execution attacks. The vulnerability is already being actively exploited, and it looks like some companies either didn’t get around to patching it in time or simply chose not to fix it.
We’re talking about F5 BIG-IP APM, which often sits right at the edge of a corporate network. It handles access to internal services, VPN connections, and various APIs. So once it gets compromised, a lot of doors suddenly open.
The vulnerability, CVE-2025-53521, didn’t look that serious at first. But later it turned out it could be used for remote code execution without authentication, which puts it in a completely different league.
The attack itself is fairly straightforward: an attacker sends a specially crafted request and gains control over the system. No logins or passwords required, and that’s exactly what makes it so dangerous.
According to the latest data, more than 17,000 of these instances are visible online, and around 14,000 of them are still potentially vulnerable. That means the attack surface is still massive.
The Cybersecurity and Infrastructure Security Agency has already added this issue to its list of actively exploited vulnerabilities and is clear about it: patch it immediately.
The issue doesn’t affect every setup. It shows up when APM is configured with certain access policies on virtual servers, but that kind of configuration is pretty common.
Here’s the important part: these systems are often used by large companies. They sit at the gateway to internal infrastructure. And if that gateway is open, it’s only a matter of time before someone walks in.
This is a classic cybersecurity story. A patch exists, the information is out there, yet thousands of systems remain unprotected.
With F5, this is especially critical because compromising such a node often means gaining access to the entire network. So there’s really no middle ground here: either you patch and audit your system quickly, or sooner or later someone else will do it for you.
