DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-53521: CVE-2025-53521: Unauthenticated Remote Code Execution in F5 BIG-IP APM

#security #cve #cybersecurity

CVE-2025-53521: Unauthenticated Remote Code Execution in F5 BIG-IP APM

Vulnerability ID: CVE-2025-53521
CVSS Score: 9.8
Published: 2025-10-15

CVE-2025-53521 is a critical vulnerability in the F5 BIG-IP Access Policy Manager (APM) that permits unauthenticated, remote attackers to achieve Remote Code Execution (RCE) or Denial of Service (DoS). The flaw exists in the Traffic Management Microkernel (TMM) process, which fails to appropriately throttle or limit resource allocation when handling specific malicious traffic directed at active APM policies.

TL;DR

Unauthenticated attackers can exploit a resource allocation flaw (CWE-770) in the F5 BIG-IP APM TMM process to trigger a denial of service or execute arbitrary code on the appliance.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS v3.1: 9.8
  • EPSS Score: 0.19158 (95.31%)
  • Impact: Remote Code Execution / Denial of Service
  • Exploit Status: Active
  • CISA KEV: Listed

Affected Systems

  • F5 BIG-IP Access Policy Manager (APM)
  • BIG-IP APM: 17.5.0 - 17.5.1 (Fixed in: 17.5.1.3)
  • BIG-IP APM: 17.1.0 - 17.1.2 (Fixed in: 17.1.3)
  • BIG-IP APM: 16.1.0 - 16.1.6 (Fixed in: 16.1.6.1)
  • BIG-IP APM: 15.1.0 - 15.1.10 (Fixed in: 15.1.10.8)

Mitigation Strategies

  • Upgrade BIG-IP APM to the patched versions provided by F5.
  • Monitor /var/log/tmm and /var/log/ltm for unexpected TMM process restarts.
  • Implement WAF rules to scrutinize anomalous HTTP requests targeting /renderer/, /my.policy, and DesktopDirect endpoints.

Remediation Steps:

  1. Identify all BIG-IP virtual servers running an active APM access policy.
  2. Verify the current firmware version of the BIG-IP appliance.
  3. Download the appropriate fixed version (e.g., 17.5.1.3, 17.1.3, 16.1.6.1, or 15.1.10.8) from the F5 downloads portal.
  4. Schedule a maintenance window and apply the firmware update following F5's standard upgrade procedures.
  5. Verify system stability and APM policy functionality post-upgrade.

References

Read the full report for CVE-2025-53521 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)