CVE-2025-53521

CRITICAL
2025-10-15 [email protected]
9.3
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Added to CISA KEV
Mar 31, 2026 - 17:12 cisa
CISA KEV
PoC Detected
Mar 31, 2026 - 17:12 vuln.today
Public exploit code
Government Alert
Mar 31, 2026 - 17:12 cert
Government exploitation alert
Analysis Generated
Mar 27, 2026 - 18:22 vuln.today
CVE Published
Oct 15, 2025 - 14:15 nvd
CRITICAL 9.3

Tags

RCE Denial Of Service

Description

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Analysis

F5 BIG-IP APM (Access Policy Manager) contains a remote code execution vulnerability triggered by specific malicious traffic when an access policy is configured on a virtual server.

Technical Context

The CWE-770 allocation of resources without limits vulnerability in BIG-IP APM's access policy processing can be exploited through crafted traffic to achieve remote code execution on the BIG-IP device.

Affected Products

['F5 BIG-IP with APM access policy configured']

Remediation

Apply F5 security updates. Remove APM configurations from internet-facing virtual servers if not required. Restrict management access to BIG-IP.

Priority Score

137
Low Medium High Critical
KEV: +50
EPSS: +0.1
CVSS: +46
POC: +20

Share

CVE-2025-53521 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy