CISA Issues Three-Days Patch Mandate for Critical 9.8 F5 BIG-IP RCE

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical Remote Code Execution (RCE) vulnerability affecting F5 BIG-IP systems to its Known Exploited Vulnerabilities (KEV) Catalog. The move comes after confirmed evidence surfaced that malicious actors are actively weaponizing the flaw to breach high-value networks.

Tracked as CVE-2025-53521, the vulnerability carries a CVSS score of 9.8.

The flaw resides in the BIG-IP Access Policy Manager (APM). When a virtual server is configured with a BIG-IP APM access policy, it becomes susceptible to specifically crafted malicious traffic.

If successfully exploited, this traffic allows an attacker to bypass security boundaries and achieve Remote Code Execution (RCE). In the hands of a cybercriminal or state-sponsored group, this provides a key to:

• Intercept Encrypted Traffic: Gain access to sensitive data passing through the gateway.
• Lateral Movement: Use the BIG-IP appliance as a pivot point to attack internal servers.
• Persistent Access: Install backdoors that remain even after basic reboots.

F5 BIG-IP devices are a mainstay in government and corporate data centers, making them a “frequent attack vector for malicious cyber actors”. Because these devices sit at the edge of the network, a successful breach often bypasses traditional firewalls and internal security measures.

CISA warned that this specific type of vulnerability “poses significant risks to the federal enterprise,” prompting an immediate mandate for remediation.

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are now under a strict clock. Agencies are required to remediate CVE-2025-53521 by March 30, 2026.

While the mandate specifically applies to federal agencies, CISA strongly urges all private sector organizations to prioritize this patch to secure their own networks.

F5 has noted that software versions which have reached End of Technical Support are not evaluated for this flaw. Organizations running legacy versions should not assume they are safe; instead, they should migrate to supported, patched versions immediately to avoid being an easy target.