A critical remote code execution vulnerability (CVE-2025-53521; CVSS 3.1 score 9.8) affects F5 BIG‑IP when an Access Policy Manager (APM) access policy is configured on a virtual server. Crafted malicious traffic can lead to unauthenticated remote code execution, enabling full system compromise of affected appliances. NIST and vendor records indicate the issue impacts multiple BIG‑IP modules across the 15.1.x, 16.1.x and 17.x branches (see vendor advisory for exact version ranges and module details).
Although this CVE was originally disclosed in October 2025 as a lower-severity denial-of-service issue, F5 reclassified it as a critical RCE vulnerability in March 2026 following new findings — significantly raising its risk profile. CISA has since added it to its Known Exploited Vulnerabilities catalog and active in-the-wild exploitation has been confirmed, underscoring the urgency of immediate remediation.
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching.
References:

