UK NCSC Warns of Active Exploitation of Critical F5 BIG-IP APM RCE Vulnerability CVE-2025-53521
The UK National Cyber Security Centre has issued an urgent alert over CVE-2025-53521, a critical unauthenticated remote code execution vulnerability in F5 BIG-IP Access Policy Manager that is being actively exploited in the wild.
The UK National Cyber Security Centre (NCSC) is urging organizations to take immediate action against a critical vulnerability in F5 BIG-IP Access Policy Manager (APM) that is under active exploitation. Tracked as CVE-2025-53521, the flaw has been recategorized by F5 as an unauthenticated remote code execution (RCE) vulnerability, elevating its severity and underscoring the urgency for patching.
The vulnerability resides in the BIG-IP APM module when an access policy is configured on a virtual server. According to F5's updated security advisory, specially crafted malicious traffic can trigger remote code execution without requiring any authentication. This makes the flaw particularly dangerous for large enterprises that rely on BIG-IP APM for secure access control, VPN termination, and identity federation.
F5 has confirmed that it is aware of active exploitation of CVE-2025-53521 in the wild. The NCSC stated it is working to fully understand the impact on UK networks and any potential cases of compromise. The agency has published Indicators of Compromise (IoCs) provided by F5 and recommends that all organizations using affected products investigate for signs of intrusion, regardless of when the system was last updated.
The NCSC's guidance is unusually forceful, reflecting the severity of the threat. It advises organizations to isolate affected systems immediately and, if possible, replace them with fully up-to-date systems, even if that causes service outages. Where isolation is not feasible, the NCSC recommends erasing or destroying the affected system and rebuilding it from scratch. After remediation, organizations should apply the latest F5 patches, implement security hardening measures, and conduct continuous threat hunting.
CVE-2025-53521 poses a critical risk to large enterprises, government agencies, and service providers that commonly deploy BIG-IP APM for network access control and application delivery. The vulnerability's unauthenticated nature and active exploitation make it a prime target for ransomware groups and state-sponsored actors seeking initial access to high-value networks.
This incident follows a pattern of high-impact vulnerabilities in F5's BIG-IP product line, which has been a frequent target for attackers. In recent years, flaws such as CVE-2022-1388 (an unauthenticated RCE in BIG-IP iControl REST) and CVE-2023-46747 (a bypass in BIG-IP Configuration Utility) have been exploited in widespread campaigns. The recategorization of CVE-2025-53521 from a less severe rating to critical unauthenticated RCE highlights the evolving understanding of the threat and the need for vendors to communicate risk accurately.
Organizations using F5 BIG-IP APM should treat this as a zero-day-level emergency. The NCSC's alert, combined with F5's confirmation of active exploitation, leaves no room for delay. Security teams should prioritize patching, isolate affected systems, and hunt for IoCs immediately. For more details, refer to the F5 security advisory and the NCSC alert.