F5 has published an updated security advisory explaining that a previously disclosed vulnerability in BIG-IP APM has been recategorised as an unauthenticated remote code execution vulnerability  

CVE-2025-53521: When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).

F5 is aware of active exploitation of CVE-2025-53521 affecting BIG-IP APM.

The NCSC is working to fully understand UK impact and any potential cases of active exploitation affecting UK networks.

The NCSC recommends investigating for compromise on all affected products regardless of when the system was updated. F5 have published Indicators of Compromise.   

All organisations using BIG-IP APM are affected by this vulnerability.

The NCSC recommends following vendor best-practice advice to mitigate vulnerabilities. In this case due to reports of in the wild exploitation, if you use an affected product, you should take these priority actions:

1. Read the security advisory and Indicators of Compromise.
2. If possible, isolate the affected system(s) and replace with a new, fully up-to-date system (NOTE: this may cause service outage).
3. Fully investigate for evidence of compromise following the vendor guidance (an assured Cyber Incident Response provider can assist) Where this isn’t possible; the affected system should be erased/destroyed and rebuilt as new.
4. If you believe you have been compromised, and are in the UK, you should report it and consider using an assured Cyber Incident Response provider. You can also report the compromise to the vendor to assist their investigation.
5. Update to the latest version of the affected product.
6. Apply any appropriate security hardening.
7. Re-enable/reintroduce the affected system(s).
8. Perform continuous threat hunting activities.  

The following NCSC guidance and services will help to secure systems:

• Find an assured Cyber Incident Response provider.
• Follow NCSC guidance including vulnerability management and preventing lateral movement.
• If your organisation is in the UK, you can sign up to the free NCSC Early Warning service to receive notifications of potential cyber threats on your network. If you are already an Early Warning user, please check your MyNCSC portal.
• The NCSC Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process.