UK NCSC and CISA Urge Immediate Patching of Critical F5 BIG-IP RCE Flaw Under Active Exploitation
The UK National Cyber Security Centre and CISA are urging organizations to urgently patch CVE-2025-53521, a critical remote code execution vulnerability in F5 BIG-IP Access Policy Manager that was reclassified from a denial-of-service flaw and is now under active exploitation.
The UK National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) are urging organizations to immediately patch a critical vulnerability in F5's BIG-IP Access Policy Manager (APM) that is now under active exploitation. Tracked as CVE-2025-53521, the flaw was originally classified as a denial-of-service vulnerability with a CVSS score of 7.5, but F5 re-categorized it in March 2026 as a remote code execution (RCE) flaw with a critical CVSS score of 9.8.
The vulnerability allows an RCE vulnerability exists when a BIG-IP APM access policy is configured on a virtual server. The NCSC stated that it is "working to fully understand UK impact and any potential cases of active exploitation affecting UK networks," indicating that the threat is being taken seriously at the highest levels of government. CISA has added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies until midnight on March 30 to apply patches, reflecting the severity of the bug.
F5 has released a security advisory and indicators of compromise (IoCs) to help organizations detect and respond to potential breaches. The company warned that UCS (user configuration set) backups from compromised systems may contain persistent malware, and strongly recommended rebuilding configurations from scratch if the timing of the compromise is unknown. "If you do not know exactly when the system was compromised, your UCS backups may have been created afterward, or both, F5 strongly recommends that you rebuild the configuration from scratch because UCS files from compromised systems can contain persistent malware," the advisory stated.
The NCSC has issued a detailed set of recommendations for F5 customers. These include isolating affected systems where possible, replacing them with fully updated systems (even if this causes service outages), fully investigating for evidence of compromise in line with F5's guidance, and reporting any incidents to the NCSC. If full investigation is not possible, the NCSC advises that affected systems should be "erased/destroyed and rebuilt as new." Organizations are also urged to update to the latest product version, apply security hardening, and perform continuous threat hunting after reintroducing systems.
F5 products have long been a target for sophisticated threat actors, including nation-state groups. In October 2025, F5 disclosed that a state-backed group had achieved "long-term, persistent access" to its own systems, stealing source code and undisclosed information about vulnerabilities in its products. This history underscores the importance of treating F5 BIG-IP vulnerabilities with the highest priority.
The reclassification of CVE-2025-53521 from a DoS flaw to a critical RCE vulnerability highlights the evolving nature of threat intelligence. Organizations that may have deprioritized patching based on the original CVSS score are now facing active exploitation. The joint urgency from the NCSC and CISA, combined with the KEV catalog inclusion, signals that this is not a routine patch cycle but a critical security event requiring immediate action.
F5 customers should consult their corporate security policy for incident handling guidelines, including forensic best practices, in the event of compromise. The NCSC's guidance emphasizes that the safest course of action is to treat any potentially compromised system as fully compromised and rebuild from a known-good state. With active exploitation confirmed and government agencies given a hard deadline, the window for proactive defense is closing rapidly.