CVE-2025-53521
⛔ criticalSummary
When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Score
9.8
Critical
EPSS Score
41.4
Exploit Probability
Published Date
2025-10-15
First Seen: 2026-01-05
📊 Relative Risk Intelligence
This CVE is Very High Risk - more severe than 90.4% of all 322,079 vulnerabilities in our database.
#30,811
Top 10% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: Mar 28, 2026
🔍 Exploitation Status
Active
Exploits detected in the wild
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
F5 would like to thank Kristian Vlaardingerbroek, Hugo Trippaers, and other people of Schuberg Philis; Bart Vrancken; Fox-IT; and the National Cyber Security Centre (NCSC) in the Netherlands for their assistance in investigating this issue and following the highest standards of coordinated disclosure.
SSVC data provided by
CISA
Last Modified
2026-03-31
Source
NVD 🔗
CVSS Vector 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)