Threat Intelligence Mar 30, 2026

CVE-2025-53521: F5 BIG-IP APM RCE Actively Exploited by Chinese State Actor

A vulnerability originally classified as denial-of-service has been reclassified as critical remote code execution. It's tied to a year-long breach of F5's own network, a Chinese state actor, and a custom backdoor called Brickstorm.

The Short Version

If you're running F5 BIG-IP with Access Policy Manager (APM) configured on any virtual server, stop reading and go patch. F5's advisory (K000156741) has the fixed versions. CISA added this to the Known Exploited Vulnerabilities catalog on March 27 with a remediation deadline of March 30. That's today.

This isn't theoretical. Attackers are actively deploying webshells on unpatched BIG-IP devices right now.

Key Facts

  • CVE: CVE-2025-53521
  • CVSS: 9.8 (v3.1) / 9.3 (v4.0) - Critical
  • Type: Unauthenticated Remote Code Execution
  • Affected: F5 BIG-IP with APM access policy on a virtual server
  • Threat actor: UNC5221 (China-nexus, attributed by Mandiant and CrowdStrike)
  • Exploitation: Active, confirmed by CISA, NCSC, and F5
  • CISA deadline: March 30, 2026

How We Got Here

The timeline on this one is unusual, and that's what makes it worth paying attention to.

Around August 2024, a threat group that Google Mandiant tracks as UNC5221 gained access to F5's internal corporate network. They stayed inside for roughly 12 months. During that time, they exfiltrated BIG-IP source code and information about undisclosed vulnerabilities. F5 discovered the breach in August 2025.

The US Department of Justice authorised delayed public disclosure. On October 15, 2025, F5 went public with the breach and published CVE-2025-53521 as a high-severity denial-of-service issue with a CVSS v4 score of 8.7. CISA issued Emergency Directive ED 26-01 requiring federal agencies to patch by October 22.

Then in March 2026, F5 obtained "new information" and reclassified the vulnerability from DoS to remote code execution. The CVSS score jumped to 9.8. On March 27, CISA added it to the KEV catalog with active exploitation confirmed. The Dutch NCSC and UK NCSC both issued alerts. Defused Cyber reported acute scanning activity targeting vulnerable BIG-IP instances.

So to recap: a Chinese state actor stole F5's source code, used it to find and exploit a vulnerability that was initially downplayed as DoS, and has been hitting targets with it while everyone thought they were patched against a crash bug, not an RCE.

What's Affected

The vulnerability sits in the apmd process, which handles APM-related traffic. Any BIG-IP system with an APM access policy configured on a virtual server is vulnerable. The attack is unauthenticated and network-accessible, with low complexity. No user interaction required.

Affected Versions Fixed Version
17.5.0 - 17.5.117.5.1.3
17.1.0 - 17.1.217.1.3
16.1.0 - 16.1.616.1.6.1
15.1.0 - 15.1.1015.1.10.8

One bit of good news: the patches F5 released back in October 2025 (when this was still classified as DoS) do fix the RCE too. If you patched in October, you're covered. But if you deprioritised it because "it's just a DoS," now would be a good time to revisit that decision.

Appliance mode systems are also vulnerable. Shadowserver tracks over 240,000 BIG-IP instances exposed online globally. F5 serves 48 of the Fortune 50.

The Threat Actor: UNC5221

UNC5221 is a China-nexus cyber espionage group tracked by Google Mandiant and CrowdStrike. They maintained access to F5's internal network for at least 12 months before discovery. The stolen BIG-IP source code enabled what Resecurity described as "rapid zero-day discovery and weaponisation against internet-exposed management services."

After exploiting CVE-2025-53521 on target systems, UNC5221 deploys a custom backdoor called Brickstorm. It's a Go binary with some serious capabilities:

  • Embedded TLS with HTTP/1.1, HTTP/2, and WebSocket support for C2 communication
  • Yamux multiplexing for concurrent streams over a single socket
  • SOCKS proxy for pivoting into internal networks
  • Multipart/form-data exfiltration with base64 encoding
  • Systemd persistence
  • Memory-only execution modes that leave minimal forensic traces on disk

This isn't a smash-and-grab. It's designed for long-term, quiet access. Once Brickstorm is on your BIG-IP, the attacker can intercept traffic, harvest credentials, manipulate application requests, and pivot laterally into your internal network. The BIG-IP device becomes a beachhead.

What You Should Do Right Now

1. Patch

Upgrade to 17.5.1.3, 17.1.3, 16.1.6.1, or 15.1.10.8 depending on your branch. If you applied the October 2025 patches, verify the specific version. The patches are the same ones, but confirm you're actually running a fixed build, not just that you approved the change request.

2. Restrict Management Access

BIG-IP management interfaces should not be accessible from the public internet. Use ACLs, firewall policies, VPNs, or jump hosts. This should have been done already per ED 26-01 in October, but if it wasn't, do it now.

3. Hunt for Compromise

Even if you've patched, check whether you were compromised before the patch. Look for:

  • Webshells on disk or in-memory (F5 published IOC documentation as "malicious software c05d5254")
  • SELinux module disablement in logs
  • Modifications to sys-eicheck (BIG-IP's system integrity checker)
  • Unauthorised config changes, new user accounts, or suspicious scripts
  • Unusual POST requests to management interfaces on ports 443/80
  • Requests to /mgmt/shared/identified-devices/config/device-info
  • Suspicious URL lengths over 200 characters targeting TMUI paths

4. Hunt for Brickstorm

Mandiant has published a Brickstorm scanner tool on GitHub that checks for the backdoor on Linux/BSD systems using YARA-style signature matching. CISA has also published Malware Analysis Reports with detailed IOCs. Use both to sweep your environment.

Also look for systemd persistence modifications and validate your BIG-IP software image MD5 checksums against F5's known-good values.

5. Isolate If You Can't Patch

If immediate patching isn't possible, isolate affected BIG-IP devices from the network. Yes, this may cause service impact. The alternative is worse.

The Bigger Picture

There are a few things worth calling out here beyond the immediate "go patch" advice.

Severity reclassifications happen. This vulnerability spent five months classified as "just a DoS." Plenty of organisations would have deprioritised patching based on that assessment. When F5 reclassified it as RCE with a 9.8, the risk calculus changed overnight. But the attackers didn't wait for the reclassification. They'd been exploiting it the whole time.

Network appliances are high-value targets. BIG-IP devices sit inline in front of your applications. They see all the traffic. A compromised load balancer or reverse proxy gives an attacker a position most defenders don't monitor closely. This pattern keeps repeating: Ivanti, Fortinet, Citrix, Palo Alto, F5, and most recently Cisco's SSM On-Prem licensing server. If you're running internet-facing network appliances, treat them as tier-one assets in your vulnerability management program.

Source code theft enables targeted exploitation. UNC5221 didn't find this vulnerability through fuzzing or reverse engineering. They stole the source code and went looking. That's a fundamentally different threat model than most organisations plan for. When a vendor gets breached, every customer inherits the risk.

Know What's Exposed

CVE-2025-53521 is a reminder that internet-facing network appliances are high-value targets. Luna scans your external attack surface for known CVEs, exposed management interfaces, outdated services, and misconfigurations across your infrastructure. While there isn't a specific template for this CVE yet, Luna's 11,000+ security templates and four scan types help you maintain visibility over what's exposed and catch the next one before it's in the news.

Get Slack alerts when something critical turns up. Learn more about automated vulnerability scanning.

References