A vulnerability in F5's BIG-IP networking devices, tracked as CVE-2025-53521, is being actively exploited by threat actors after being reclassified as a remote code execution (RCE) flaw. Initially disclosed as a high-severity denial-of-service (DoS) bug, the issue is now known to allow an unauthenticated attacker to execute commands and gain significant control over a compromised system.
The vulnerability resides in the BIG-IP Configuration utility, also known as the Traffic Management User Interface (TMUI). Attackers can exploit the flaw by sending a specially crafted HTTP request to an exposed management port. While F5 initially disclosed the vulnerability in October as a DoS flaw, new information revealed its more dangerous RCE capabilities, leading to active exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog, confirming the active threat and mandating federal agencies to patch their systems.
A successful attack gives adversaries a powerful foothold inside a target network. BIG-IP devices often sit at critical network junctions, managing application traffic. Compromise can lead to data exfiltration, internal network pivoting, deployment of ransomware, or manipulation of network traffic.
Administrators are strongly urged to apply the security updates provided by F5 immediately. For systems that cannot be patched right away, F5 recommends implementing workarounds that involve restricting access to the TMUI. This includes blocking access from the internet and limiting it to a secure management network, which authorized personnel often access using a VPN.
