CVE-2025-53521: F5 BIG-IP APM RCE — CISA Deadline Is March 30

CVE-2025-53521 dropped into CISA’s Known Exploited Vulnerabilities catalog on March 27, and the remediation deadline is March 30 . If you’re running F5 BIG-IP with Access Policy Manager (APM), this needs your attention right now. Here’s what makes this one ugly: F5 originally classified CVE-2025-53521 as a denial-of-service issue. That classification has since been upgraded to remote code execution (CVSS 9.3) after active exploitation was confirmed in the wild. A vulnerability that many teams deprioritized as “just a DoS” is actually giving attackers code execution on BIG-IP appliances. If your patching decision was based on the original advisory, your risk assessment is wrong. The Reclassification: From DoS to Full RCE When F5 first published advisory K000156741 , CVE-2025-53521 was described as a denial-of-service condition in BIG-IP APM. The attack vector was clear enough — a crafted request to the APM authentication endpoint could crash the Traffic Management Microkernel (TMM). Ann