F5 Warns of Critical BIG-IP APM Zero-Day Exploited by Nation-State Actors
Take action: If you have F5 BIG-IP APM devices, if possible make sure they are isolated from the internet and accessible from trusted networks only. Then immediately update to the fixed firmware versions (17.5.1.3, 17.1.3, 16.1.6.1, or 15.1.10.8). If you suspect a device has already been compromised, rebuild it from scratch - don't restore from backups, as they may contain persistent malware. Also, audit for disabled SELinux and unauthorized webshells.
Learn More
F5 reports that a critical vulnerability in its BIG-IP Access Policy Manager (APM) is being actively exploited by a threat group.
Originally identified as a Denial-of-Service (DoS) flaw in October 2025, the vulnerability was re-categorized in March 2026 to a critical remote code execution (RCE) path after new evidence of in-the-wild attacks emerged.
The vulnerability is tracked as CVE-2025-53521 (CVSS score 9.8) - An unauthenticated remote code execution vulnerability in the BIG-IP APM apmd process that occurs when an access policy is configured on a virtual server. Attackers send malicious traffic to the data plane to execute arbitrary commands with system privileges. This technical mechanism allows the adversary to disable the SELinux kernel security module and gain persistent access to the underlying operating system.
The exploitation follows a significant breach of F5's internal systems in late 2025, where a nation-state actor stole proprietary source code and information about undisclosed vulnerabilities. Indicators of compromise (IOCs) show that attackers are deploying webshells that operate exclusively in memory to evade detection.
The threat group uses a novel malware dubbed "Junction" to move laterally from compromised F5 appliances to vCenter servers and ESXi hypervisors. Junction leverages VSOCK sockets to marshal data between guest virtual machines and the host, allowing attackers to reach into running VMs while leaving minimal forensic evidence.
The vulnerability affects the following versions of BIG-IP APM product line:
- 17.5.0 through 17.5.1,
- 17.1.0 through 17.1.2,
- 16.1.0 through 16.1.6,
- 15.1.0 through 15.1.10 are known to be vulnerable.
F5 says that the issue resides in the data plane and does not expose the control plane directly, but successful exploitation grants the attacker enough privilege to manipulate management functions.
Administrators should immediately update to fixed versions, which include 17.5.1.3, 17.1.3, 16.1.6.1, and 15.1.10.8. F5 and CISA strongly recommend that organizations rebuild compromised systems from scratch instead of restoring from UCS backups, as backups may contain persistent malware.
Administrators should also audit their environments for disabled SELinux modules and unauthorized webshells.
