{"id":16026,"date":"2026-03-31T18:51:08","date_gmt":"2026-03-31T18:51:08","guid":{"rendered":"https:\/\/newestek.com\/?p=16026"},"modified":"2026-03-31T18:51:08","modified_gmt":"2026-03-31T18:51:08","slug":"5-month-old-f5-big-ip-dos-bug-becomes-critical-rce-exploited-in-the-wild","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16026","title":{"rendered":"5-month-old F5 BIG-IP DoS bug becomes critical RCE exploited in the wild"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>A vulnerability misclassified five months ago as a denial-of-service issue in F5 BIG-IP Access Policy Manager (APM) turned out to be a critical pre-authentication remote code execution flaw that is now under active exploitation. Hackers are using it to deploy a persistent malware program that runs with root privileges.<\/p>\n<p>The CVE-2025-53521 vulnerability was first disclosed in October 2025 as a DoS issue with a CVSS severity score of 7.5. F5 <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000156741\">updated the advisory<\/a> Friday, reclassifying it as remote code execution and raising its score to CVSS 9.8 in light of \u201cnew information\u201d it has received. The same day, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and the Netherlands Cyber Security Centre <a href=\"https:\/\/advisories.ncsc.nl\/2025\/ncsc-2025-0319.html\">reported seeing active exploitation<\/a>.<\/p>\n<p>BIG-IP APM is F5\u2019s secure access solution that allows enterprises, service providers, and government agencies to control authentication, authorization, and VPN access across remote, mobile, and cloud environments. The Shadowserver Foundation currently tracks over 240,000 F5 BIG-IP instances on the internet, but it\u2019s not clear how many run vulnerable versions.<\/p>\n<p>\u201cWhen F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn\u2019t immediately signal urgency, and many system administrators likely prioritized it accordingly,\u201d Benjamin Harris, CEO of offensive security firm watchTowr, told CSO. \u201cFast-forward to today\u2019s big \u2018yikes\u2019 moment: The situation has changed significantly. What we\u2019re observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That\u2019s a very different risk profile than what was initially communicated.\u201d<\/p>\n<p>Patching is only part of the equation and the immediate focus for security teams should be on determining whether the flaw has already been exploited in their environments, Harris noted.<\/p>\n<p>The vulnerability affects BIG-IP APM versions 17.1.0 to 17.1.2, 17.5.0 to 17.5.1, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10. F5 released patches in versions 17.1.3, 17.5.1.3, 16.1.6.1, and 15.1.10.8. The company also published <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000160486\">a knowledge base article with indicators of compromise<\/a>, attacker TTPs, and hardening guidance against the observed malware.<\/p>\n<h2 class=\"wp-block-heading\" id=\"how-the-attack-works\">How the attack works<\/h2>\n<p>BIG-IP APM is only affected when configured on a virtual server, which is a limiting factor for the attacks, but is not an unusual deployment. Successful exploitation grants attackers root-level access and full control of the underlying operating system.<\/p>\n<p>The company tracks the deployed malware program as \u201cc05d5254\u201d and notes that it creates files at <code>\/run\/bigtlog.pipe<\/code> and <code>\/run\/bigstart.ltm<\/code> and makes changes to system binaries, including <code>\/usr\/bin\/umount<\/code> and <code>\/usr\/sbin\/httpd<\/code>. Attackers have also been observed modifying the <code>sys-eicheck<\/code> utility, which relies on RPM integrity checks to verify on-disk executables.<\/p>\n<p>Log analysis can reveal patterns related to the attack. The user \u201cf5hubblelcdadmin\u201d accessing the iControl REST API from localhost, SELinux disable commands in auditd logs and Base64-encoded data written to files followed by execution of <code>`\/run\/bigstart.ltm`<\/code> all indicate successful intrusion. F5 also observed threat actors using HTTP 201 response codes with CSS content-type headers to disguise malicious traffic.<\/p>\n<h2 class=\"wp-block-heading\" id=\"mitigation\">Mitigation<\/h2>\n<p>Organizations that applied the October 2025 updates are already protected, as the original patches also address the RCE vector, but systems running vulnerable versions require immediate patching and compromise assessment.<\/p>\n<p>Organizations should not assume their systems are clean based solely on patching because UCS backup files from compromised systems can contain copies of the malware. F5 recommends rebuilding configurations from scratch rather than restoring from backup if the compromise timeframe is uncertain.<\/p>\n<p>The <code>sys-eicheck<\/code> utility can identify integrity failures in <code>\/usr\/bin\/umount<\/code> and <code>\/usr\/sbin\/httpd<\/code>, though attackers have targeted the components this tool relies on.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A vulnerability misclassified five months ago as a denial-of-service issue in F5 BIG-IP Access Policy Manager (APM) turned out to be a critical pre-authentication remote code execution flaw that is now under active exploitation. Hackers are using it to deploy a persistent malware program that runs with root privileges. The CVE-2025-53521 vulnerability was first disclosed in October 2025 as a DoS issue with a CVSS&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=16026\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16026","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16026"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16026\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}