CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active exploitation of F5 BIG-IP RCE vulnerability CVE-2025-53521

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

CVE-2025-53521, initially disclosed as a DoS flaw in October 2025, has been reclassified as a critical RCE vulnerability (CVSS 9.8) following new exploitation activity in March 2026. Threat actors are actively exploiting the flaw by sending malicious traffic to virtual servers configured with BIG-IP AMP or systems in appliance mode to deploy webshells and other payloads. F5 has confirmed exploitation in the wild and published IOCs, while CISA added the flaw to its KEV catalog on March 28, 2026, mandating federal remediation within three days. Multiple actors are probing F5 infrastructure, with observed payload deviations and scanning targeting REST API endpoints. Shadowserver tracks over 240,000 exposed BIG-IP instances, and the NCSC has urged immediate patching in the UK due to confirmed exploitation activity. The flaw affects BIG-IP APM versions 15.1.0–15.1.10, 16.1.0–16.1.6, 17.1.0–17.1.2, and 17.5.0–17.5.1. Fixed versions (15.1.10.8, 16.1.6.1, 17.1.3, 17.5.1.3) are available, and F5 recommends forensic best practices including system rebuilding due to potential persistent malware in UCS backups.

Timeline

  1. 30.03.2026 10:07 5 articles · 2d ago

    F5 BIG-IP APM RCE vulnerability CVE-2025-53521 exploited in the wild

    F5 reclassified CVE-2025-53521 as a critical RCE flaw (CVSS 9.8) on March 30, 2026, citing "new information obtained in March 2026," confirming active exploitation in the wild. Threat actors exploit the flaw by sending specific malicious traffic to virtual servers configured with BIG-IP AMP or systems in appliance mode to achieve RCE, enabling deployment of webshells and other payloads. F5 published technical IOCs for exploitation activity, including malicious files (/run/bigtlog.pipe, /run/bigstart.ltm), hash mismatches, and timestamp anomalies in system binaries (/usr/bin/umount, /usr/sbin/httpd). Defused observed scanning activity targeting the /mgmt/shared/identified-devices/config/device-info REST API endpoint after the flaw's addition to CISA's KEV catalog on March 28, 2026. The article also notes minor deviations in exploit payloads over the past week, indicating multiple actors are actively probing F5 infrastructure. F5 recommends forensic best practices and system rebuilding in case of compromise due to persistent malware risks in UCS backups.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active exploitation of Citrix NetScaler ADC/Gateway memory disclosure vulnerability (CVE-2026-3055)

A critical out-of-bounds read vulnerability in Citrix NetScaler ADC and NetScaler Gateway, tracked as CVE-2026-3055, is being actively exploited in the wild to leak sensitive information and extract administrative session IDs from appliance memory, enabling potential full appliance takeover. Citrix disclosed the flaw on March 23, 2026, alongside a high-severity race condition flaw, affecting versions before 14.1-60.58, 13.1-62.23, and those older than 13.1-37.262. The vulnerability requires appliances to be configured as SAML Identity Providers and impacts only customer-managed systems. Exploitation was confirmed via honeypot networks on March 27, with attackers leveraging both /saml/login and /wsfed/passive endpoints to trigger memory overread conditions. Security researchers criticize Citrix’s disclosure as incomplete and provide tools to detect vulnerable hosts. On March 30, 2026, CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities (KEV) Catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to patch vulnerable Citrix appliances by April 2, 2026 under BOD 22-01. CISA warned the flaw poses significant risks to the federal enterprise and urged all organizations to prioritize patching. Shadowserver reports nearly 30,000 exposed NetScaler ADC appliances and over 2,300 exposed Gateway instances online.

Open in new tab

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.

Open in new tab

AI-Assisted Hacker Breaches 600 FortiGate Firewalls in 5 Weeks

A Russian-speaking, financially motivated hacker used generative AI services to breach over 600 FortiGate firewalls across 55 countries in five weeks. The campaign, which occurred between January 11 and February 18, 2026, targeted exposed management interfaces and weak credentials lacking MFA protection. The attacker used AI to automate access to other devices on breached networks, extracting sensitive configuration data and conducting reconnaissance. The attacker successfully compromised multiple organizations' Active Directory environments, extracted complete credential databases, and targeted backup infrastructure, likely in a lead-up to ransomware deployment. The threat actor used the CyberStrikeAI AI-powered security testing platform, which integrates over 100 security tools and allows for end-to-end automation of attacks. The developer of CyberStrikeAI, known as "Ed1s0nZ," has links to Chinese government-affiliated cyber operations and has worked on additional AI-assisted security tools. Team Cymru detected 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026, primarily hosted in China, Singapore, and Hong Kong. Additional servers related to CyberStrikeAI have been detected in the U.S., Japan, and Switzerland. The developer has interacted with organizations supporting potentially Chinese government state-sponsored cyber operations, including Knownsec 404, a Chinese security vendor with ties to the Chinese Ministry of State Security (MSS). Ed1s0nZ has removed references to a CNNVD Level 2 Contribution Award from their GitHub profile. The campaign targeted healthcare, government, and managed service providers. The attackers exploited vulnerabilities CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. The attackers created a new local administrator account named "support" and set up four new firewall policies allowing unrestricted access. The attackers periodically checked device accessibility, consistent with initial access broker (IAB) behavior. The attackers extracted configuration files containing encrypted service account LDAP credentials. The attackers authenticated to the AD using clear text credentials from the fortidcagent service account. The attackers enrolled rogue workstations in the AD, allowing deeper access. The attackers deployed remote access tools like Pulseway and MeshAgent. The attackers downloaded malware from a cloud storage bucket via PowerShell from AWS infrastructure. The Java malware was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server (172.67.196[.]232) over port 443.

Open in new tab

Critical Fortinet Vulnerabilities: FortiCloud SSO Bypass and FortiClientEMS SQLi Patched

Fortinet’s **critical SQL injection vulnerability (CVE-2026-21643, CVSS 9.1)** in FortiClientEMS is now being actively exploited in attacks, according to threat intelligence reports. The flaw allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests targeting the 'Site' header in the web interface. Nearly **1,000 exposed FortiClient EMS instances** remain vulnerable online, with the majority located in the U.S. and Europe. This follows Fortinet’s recent emergency patches for **CVE-2026-24858**, a critical FortiCloud SSO authentication bypass (CVSS 9.4) that was exploited to create admin accounts, modify firewall configurations, and exfiltrate data from over 25,000 exposed devices. CISA has mandated patches for federal agencies, but CVE-2026-21643 remains unlisted in its KEV catalog despite confirmed exploitation. The vulnerabilities stem from improper input validation—SQL injection in FortiClientEMS and authentication bypass in FortiCloud SSO—and have been linked to automated attacks since January 2026. Fortinet advises disabling FortiCloud SSO until patches are applied, restricting management interface access, and treating compromised systems as fully breached, requiring credential rotation and configuration restoration from clean backups. Patches for CVE-2026-24858 are available in **FortiOS 7.4.11**, **FortiManager 7.4.10**, and **FortiAnalyzer 7.4.10**, while CVE-2026-21643 is fixed in **FortiClientEMS 7.4.5** (versions 7.2 and 8.0 are unaffected).

Open in new tab

FortiWeb Zero-Day Exploitation (CVE-2025-58034)

Fortinet has released security updates to address a new zero-day vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited in the wild. The flaw, an OS command injection vulnerability with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. Fortinet advises upgrading FortiWeb devices to the latest versions to mitigate the risk. CISA has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within a week. This follows another FortiWeb zero-day (CVE-2025-64446) that was silently patched in October and added to CISA's actively exploited vulnerabilities catalog. CVE-2025-64446 has a CVSS score of 9.1 and was patched in version 8.0.2. Fortinet has patched CVE-2025-58034 in FortiWeb versions 8.0.2, 7.6.6, 7.4.11, 7.2.12, and 7.0.12.

Open in new tab