1 article
A vulnerability in F5 BIG-IP Access Policy Manager initially classed as denial-of-service has been reclassified as critical remote code execution with CVSS 9.8 after active exploitation was confirmed. CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalogue on 27 March and set a three-day patch deadline for federal agencies. All organisations running BIG-IP APM should treat this as an emergency.