惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hacker News: Front Page
P
Palo Alto Networks Blog
T
ThreatConnect
Apple Machine Learning Research
Apple Machine Learning Research
博客园_首页
T
True Tiger Recordings
P
Privacy & Cybersecurity Law Blog
B
Blog
IT之家
IT之家
Last Week in AI
Last Week in AI
F
Full Disclosure
Hacker News: Ask HN
Hacker News: Ask HN
C
Comments on: Blog
Microsoft Azure Blog
Microsoft Azure Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
博客园 - 【当耐特】
N
News and Events Feed by Topic
NISL@THU
NISL@THU
腾讯CDC
雷峰网
雷峰网
Security Latest
Security Latest
李成银的技术随笔
M
Microsoft Research Blog - Microsoft Research
L
LangChain Blog
L
Lohrmann on Cybersecurity
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
C
Check Point Blog
Y
Y Combinator Blog
Recent Announcements
Recent Announcements
博客园 - Franky
N
News | PayPal Newsroom
V
V2EX
A
About on SuperTechFans
The Register - Security
The Register - Security
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Google Online Security Blog
Google Online Security Blog
MyScale Blog
MyScale Blog
Cisco Talos Blog
Cisco Talos Blog
Vercel News
Vercel News
WordPress大学
WordPress大学
C
Cyber Attacks, Cyber Crime and Cyber Security
The Hacker News
The Hacker News
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
爱范儿
爱范儿
A
Arctic Wolf
L
LINUX DO - 最新话题
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More

Truesec

Securing IT, OT, and IoT When the Digital Meets the Physical Russia Rolls Out Surveillance Through State-Backed “Super App” MAX Device Code Phishing via Fake File-Sharing Invitation Active Exploitation of PAN‑OS Authentication Portal RCE Windows Client Security Baselines: When Assumptions Meet Incident Response Reality Entra ID Password Protection: From “P@ssw0rd” to Protected GitHub Under Attack: How Small Exposures Snowball into Large‑Scale Compromises European Risks Linked to the U.S. – Iran Conflict Mythos: What It Actually Means and What It Does Not Russian Espionage Campaign Targets Home Routers How Nordic Organizations Must Adjust Their Cybersecurity to a Changing Operating Environment Critical Vulnerability in “Ninja Forms – File Upload” WordPress Plugin (CVE-2026-07409) Iranian APT Target US Critical Infrastructure Remote Access – Is VPN the Almighty Solution? Malicious Axios Packages Published to npm in New Supply Chain Compromise No Further Increase in Iranian Cyber Operations Malicious PyPI Package – LiteLLM Supply Chain Compromise Dutch Intelligence Warns of Russian Campaign Against Signal and Whatsapp Users Multiple Vulnerabilities, One Critical, in Ubiquiti UniFi Network Application
RCE Vulnerability in F5 BIG-IP APM (CVE-2025-53521)
2026-03-31 · via Truesec

Threat Insight

F5 has disclosed a critical Remote Code Execution (RCE) vulnerability affecting BIG-IP Access Policy Manager (APM) when an access policy is configured on a virtual server. The vulnerability allows an unauthenticated attacker to execute arbitrary code on the affected system.

This issue was previously classified as a Denial-of-Service (DoS) vulnerability but has been re‑categorized as an RCE in March 2026 following new information. The previously released fixes remain valid and fully address the RCE in fixed versions[1].

The vulnerability can be triggered by specially crafted malicious traffic when an APM access policy is enabled on a virtual server. Systems running in Appliance mode are also affected[1].

CVE

CVE-2025-53521

Affected Products

F5 BIG-IP APM Versions[1]:
17.x: 17.1.0 – 17.1.3, 17.5.0 – 17.5.1
16.x: 16.1.0 – 16.1.6
15.x: 15.1.0 – 15.1.10

Other BIG-IP modules such as BIG-IQ, BIG-IP Next, F5OS, NGINX products, and F5 Distributed Cloud services does not seem to be affected.

Exploitation

F5 has confirmed that active exploitation has been observed in vulnerable BIG-IP versions.

Truesec recommends upgrading immediately per vendor instruction. Furthermore, threat hunting will be conducted across all our MDR customers.

Truesec also recommends that you investigate suspicious log entries, examples can be seen under “Detection”.

Detection

/var/log/restjavad-audit.<NUMBER>.log [ForwarderPassThroughWorker{“user”:”local/f5hubblelcdadmin”,”method”:”POST”,”uri”:”http://localhost:8100/mgmt/tm/util/bash”,”status”:200,”from”:”Unknown”}

This entry shows a local user accessing the iControl REST API from localhost.
/var/log/auditd/audit.log.
msg=’avc: received setenforce notice (enforcing=0) exe=”/usr/lib/systemd/systemd” sauid=0 hostname=? addr=? terminal=?’

This entry shows a local user accessing the iControl REST API from localhost to disable SELinux.
/var/log/audit
user=f5hubblelcdadmin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash

These log messages show an echo of Base64-encoded data written into a file and the execution of /run/bigstart.ltm. This entry shows an example of a command being run in the audit log, correlated to the iControl REST request above[2].

References

[1] https://my.f5.com/manage/s/article/K000156741

[2]https://my.f5.com/manage/s/article/K000160486

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。