How to Fix CVE-2025-53521: F5 BIG-IP APM Access Policy Vulnerability
*By Sai Kiran Pandrala*
| Severity | CVSS 9.8, Critical |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV |
| Affected | F5 BIG-IP virtual servers with an APM (Access Policy Manager) access policy configured |
| Fixed in | See the F5 K-article for CVE-2025-53521 for the exact TMOS engineering hotfix per train |
| Type (CWE) | See vendor article; vulnerability is in APM access-policy request handling |
⚠️ Patch immediately. BIG-IP APM sits at the perimeter terminating remote-access SSL VPN, identity-aware proxy, and authentication. A vulnerability here is internet-reachable and high-impact.
What is CVE-2025-53521?
A vulnerability in F5 BIG-IP APM's access-policy processing on virtual servers allows specifically crafted requests to trigger the vulnerable code path. The vendor advisory (F5 K-article for this CVE) describes the exact attack scenario and impact. The condition is "BIG-IP APM access policy configured on a virtual server", common in any deployment using BIG-IP for SSL VPN, identity-aware proxy, or SAML federation.
Am I affected?
You are affected if all are true:
- You run F5 BIG-IP at a TMOS version below the patched build for your train.
- BIG-IP APM is licensed and configured.
- At least one virtual server has an APM access policy applied.
Check your TMOS version:
tmsh show /sys version
List virtual servers with APM policies:
tmsh list /ltm virtual all-properties | grep -E "ltm virtual|apm"
Cross-reference your version against the F5 K-article's fix table.
How to fix CVE-2025-53521
- Open the F5 K-article for CVE-2025-53521 on the F5 MyF5 portal. F5 publishes the exact engineering hotfix per supported TMOS train.
- Download the hotfix ISO from F5 Downloads.
- For HA pairs, install on the standby unit first via the F5 GUI: System → Software Management → Hotfix List → Install.
- Reboot the standby when prompted, fail over, then install on the formerly-active.
- Verify with
tmsh show /sys version— the build should reflect the hotfix.
Upgrade big-ip / f5 to the patched release
# Confirm the running version
tmsh show sys version
# Download the patched image from the F5 advisory: https://my.f5.com/manage/s/article/K000156741
tmsh save sys ucs /var/local/ucs/pre-patch.ucs
tmsh install sys software image BIGIP-<patched-version>.iso volume HD1.2
tmsh modify sys software volume HD1.2 active
reboot
# Post-reboot
tmsh show sys version
Verify the fix landed
# 1. Confirm the running version matches the fixed-in version from the advisory:
# https://my.f5.com/manage/s/article/K000156741
# Use the platform-specific version probe above.
# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
# The scanner should no longer flag CVE-2025-53521 on the patched target.
# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"
If you can't patch immediately
F5 may publish a temporary iRule mitigation in the K-article. Check the "Mitigation" section of the F5 K-article for any documented workaround that blocks the specific exploit pattern at the LTM layer. If no workaround is documented, restrict APM virtual server access to known IPs at any upstream firewall.
How to verify the fix worked
tmsh show /sys version
Build must match the F5-published patched version. Run an external vulnerability scan against the affected virtual servers — CVE-2025-53521 detection should clear.
Frequently asked questions
Is CVE-2025-53521 actively exploited?
Yes. CVE-2025-53521 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.
What is the CVSS severity of CVE-2025-53521?
Critical. See the advisory for the full CVSS vector.
Where can I read the official advisory?
See https://my.f5.com/manage/s/article/
Does the patch require a reboot?
It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.
References
- Official F5 K-article (search on MyF5 for CVE-2025-53521): https://my.f5.com/manage/s/article/
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53521
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
*This guide was assembled from the F5 K-article reference, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against the F5 K-article for the exact engineering hotfix and any iRule mitigation before applying changes in production.*
Related fixes
Other vulnerabilities in the same area that are worth patching alongside this one:
- How to Fix CVE-2025-0994: Insecure Deserialization in Trimble Cityworks , Insecure Deserialization in Trimble Cityworks
- How to Fix CVE-2025-40536: Authentication Bypass in Web Help Desk , Authentication Bypass in Web Help Desk
- How to Fix CVE-2025-34028: Path Traversal in Command Center Innovation Release , Path Traversal in Command Center Innovation Release
- How to Fix CVE-2025-69258: Trend Micro Apex Central (Bundle Sibling) , Trend Micro Apex Central (Bundle Sibling)
- How to Fix CVE-2025-25015: Remote Code Execution in Kibana , Remote Code Execution in Kibana