A critical vulnerability in F5’s BIG-IP Access Policy Manager (APM) is being exploited in the wild. The bug, allocated CVE-2025-53521, gives a remote attacker unauthenticated remote code execution (pre-auth RCE) powers. 

IOCs published by F5 today point to sophisticated attacks in which the threat group is disabling the SELinux kernel security module, gaining control over the management interface, and likely gaining full control over software that “secures and manages user access to applications… authentication and VPN capabilities” for users – which include multiple Fortune 500 firms. 

That’s a dramatic upgrade in risk for BIG-IP APM users, who were first told when the bug was patched in October that it was a far lower risk CVSS 7.5 Denial-of-Service bug. F5 said today that the bug affects BIG-IP APM users when “access policy is configured on a virtual server” – a default pattern.

F5 says it has seen “cases of webshell being written to disk however the webshells have been observed to work in memory only” – a worrying note for defenders that suggests the attackers have found a way to gain deep persistence, perhaps by injecting malicious code into legitimate processes.

BIG-IP exploitation follows deep F5 breach

The incident comes five months after F5 admitted that an attacker had gained “long-term, persistent access” to its systems – stealing source code and information about undisclosed vulnerabilities in its BIG-IP suite. 

(CISA called for “immediate emergency action” in the wake of the October 2025 incident, saying the threat group “presents an imminent threat to federal networks using F5 devices…Exploitation of the impacted F5 products could.. lead to a full compromise of target information systems.”)

The threat group that breached F5 was seen moving quickly from vulnerable network appliances to "vCenter servers and ESXi hypervisors hosting virtualized systems” –  including via novel malware dubbed "Junction." 

Junction allows the adversary to “marshal data into and out of ESXi guest VMs via VSOCK sockets… Network traffic destined from a guest VM can be sent to ESXi via a standard HTTP request, and Junction will route the datagrams to a guest VM of the adversary’s choosing via a VSOCK, and return the response to the adversary,” it said in a 33-page private advisory obtained by The Stack. "This powerful technique can allow a threat actor to reach into a running VM and leave minimal forensic evidence…”

See also: Exclusive: F5 attackers target deep VMware persistence with novel malware

The link has been copied!