Overview
A newly reclassified and actively exploited vulnerability affecting F5 BIG‑IP Access Policy Manager (APM) (CVE‑2025‑53521) poses an immediate risk to organisations across the Isle of Man using BIG-IP appliances.
F5 has confirmed that malicious traffic sent to a BIG‑IP APM virtual server can trigger unauthenticated Remote Code Execution (RCE), allowing attackers to take full control of the device. This flaw was originally treated as a Denial-of-Service (DoS) issue but has now been reclassified as critical RCE following new intelligence in March 2026.
Organisations using F5 BIG-IP products are strongly advised to identify affected systems, apply the necessary patches and check for any indicators of compromise.
Impact
A successful compromise could enable attackers to:
- Access internal systems and sensitive data
- Manipulate services or disrupt operations
- Establish persistent access to wider networks
- Move laterally inside environments undetected
Given the control these devices exert over authentication and traffic flows, the impact of exploitation may be severe.
Affected Products
Please check the F5 Security Advisory page to identify affected systems: https://my.f5.com/manage/s/article/K000156741
Recommended Actions
- Review vendor advisories (linked below) - apply all available patches on affected systems as soon as practicable and follow any further advice provided.
- Perform a full compromise assessment on all affected systems, including those subsequently patched. F5 has published detailed Indicators of Compromise (IOCs) (linked below).
- If compromised, consider engaging a cyber incident response provider to assess and assist in investigations and recovery.
References
More information and guidance can be found on the following pages:
F5 BIG-IP - https://my.f5.com/manage/s/article/K000156741
UK NCSC Alert - https://www.ncsc.gov.uk/news/vulnerability-affecting-f5-big-ip-apm