ProductUS

F5 BIG-IP Access Policy Manager

F5's access policy management module; CVE-2025-53521 reclassified to CVSS 9.8 unauthenticated RCE with 14,000+ internet-exposed instances at point of CISA KEV addition.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How many F5 APM gateways were exposed to code execution when CISA issued its warning?

Timeline for F5 BIG-IP Access Policy Manager

#117 Apr

Contained exploited unauthenticated RCE vulnerability with 14,000+ exposed instances at point of reclassification

Cybersecurity: Threats and Defences: F5 reclassifies DoS bug to 9.8 RCE

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is F5 BIG-IP APM and why was it hacked in 2026?: F5 BIG-IP APM is an enterprise VPN and authentication gateway. CVE-2025-53521, initially rated medium-severity, was reclassified to CVSS 9.8 unauthenticated RCE in March 2026. CISA added it to KEV with Shadowserver showing 14,000+ exposed instances.Source: F5 / CISA / Shadowserver

Background

F5 BIG-IP Access Policy Manager (APM) is the internet-facing authentication and access control module in F5's BIG-IP platform affected by CVE-2025-53521, reclassified from a medium-severity denial-of-service bug to unauthenticated Remote Code Execution (RCE) with CVSS v3.1 9.8 on 28 March 2026. Shadowserver scan data showed over 14,000 BIG-IP APM instances exposed at the point CISA added the CVE to the Known Exploited Vulnerabilities catalogue. Memory-only web shells were confirmed as the post-exploitation artefact.

BIG-IP APM provides VPN gateway, identity-aware proxy and Conditional Access management for enterprise and government organisations. Like Citrix NetScaler, it sits at the authentication perimeter, controlling access to all downstream applications. Unauthenticated RCE at this position gives attackers the ability to execute code on the authentication gateway, enumerate sessions, capture credentials and pivot into the internal network without requiring any prior authentication.

For enterprises with BIG-IP APM in their edge stack, the CVE-2025-53521 reclassification combined with the CitrixBleed 3 disclosure in the same window creates a compounding patch-urgency scenario for authentication-gateway infrastructure. Both CVEs were on CISA KEV within days of each other in late March 2026.

How the World Sees Them

NCSC

NCSC's 30 March advisory naming BIG-IP APM alongside CitrixBleed 3 created a dual-gateway patch mandate for UK operators in the same week.

F5 APM operators

Patching BIG-IP APM is a high-risk maintenance operation due to its authentication-gateway role; maintenance windows need emergency provisions for KEV-class CVEs.

Enterprise security teams

Memory-only web shells on an authentication gateway leave no file-system artefact for forensic tools; incident-response teams must examine running process memory and network connections.