OrganisationUS

Shadowserver

Non-profit security foundation providing internet scan data showing vulnerable internet-facing systems, including 14,000+ exposed F5 BIG-IP APM instances.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How many F5 BIG-IP instances were exposed when CISA added the critical RCE to KEV?

Timeline for Shadowserver

#117 Apr

Published scan data showing 14,000+ exposed BIG-IP APM instances at point of reclassification

Cybersecurity: Threats and Defences: F5 reclassifies DoS bug to 9.8 RCE

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

How many F5 BIG-IP appliances were still vulnerable when the critical patch dropped?: Shadowserver scan data showed over 14,000 F5 BIG-IP APM instances exposed on the internet at the point CISA added CVE-2025-53521 to KEV in late March 2026.Source: Shadowserver / CISA
What is the Shadowserver Foundation?: Shadowserver is a non-profit that runs internet-wide scans to identify and report vulnerable or compromised systems. It notifies network owners and national CERTs with free exposure reports.

Background

Shadowserver scan data showed over 14,000 F5 BIG-IP APM instances exposed to the internet at the point CISA added CVE-2025-53521 to the Known Exploited Vulnerabilities catalogue, quantifying the scale of unpatched deployment at reclassification. Shadowserver is regularly cited in NCSC and CISA advisories as the source of exposure-count statistics underpinning urgency assessments.

Shadowserver Foundation is a non-profit organisation that conducts continuous internet-wide scanning to detect and report vulnerable or compromised devices. It notifies network owners, CERTs and national agencies of exposed infrastructure, providing free reports to qualifying organisations. Its data feeds into the KEV enforcement process by quantifying unpatched populations.

For enterprise security and GRC teams, Shadowserver's scan data translates CVE abstractions into concrete numbers: how many instances of their vendor's product are live and unpatched on the public internet at a given moment. In the F5 case, the 14,000+ figure arrived at the moment the CVE was reclassified, helping security teams justify emergency patch escalation internally.

How the World Sees Them

Vendors

Shadowserver data often arrives before vendors' own telemetry, creating pressure on patch advisory timelines and accuracy of severity ratings.

National CERTs

Shadowserver's free country-level reports give CERTs a near-real-time view of vulnerable national infrastructure without deploying their own scanning infrastructure.

Enterprise security teams

Shadowserver exposure counts provide the evidence base for internal patch-urgency escalations; the 14,000+ BIG-IP number made a DoS-severity triage defensible to reclassify immediately.