UK organizations have been encouraged to immediately patch a critical new vulnerability in F5’s BIG-IP Access Policy Manager (APM) product currently under active exploitation.

The National Cyber Security Centre (NCSC) explained that it is still “working to fully understand UK impact and any potential cases of active exploitation affecting UK networks.”

It added that CVE-2025-53521 could lead to remote code execution (RCE) “when a BIG-IP APM access policy is configured on a virtual server.”

In a security advisory, F5 explained that the flaw was originally classified as a denial-of-service vulnerability with a CVSS score of 7.5. However, “due to new information obtained in March 2026” the CVE is being re-categorized as an RCE flaw with a score of 9.8.

Read more on F5 vulnerabilities: Firms Urged to Patch as Attackers Exploit Critical F5 Bugs

The US Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to its Known Exploited Vulnerabilities (KEV) catalog and gave federal agencies up to midnight on March 30 to patch – reflecting the seriousness of the bug.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," it said.

F5 urged customers to consult their corporate security policy for incident handling guidelines including forensic best practices, in the event of compromise.

“More specifically, review the policies to ensure that they comply with evidence collection and forensics procedures for a security incident before you attempt to recover the system,” it added.

“Additionally, if you do not know exactly when the system was compromised, your UCS [user configuration set] backups may have been created afterward, or both, F5 strongly recommends that you rebuild the configuration from scratch because UCS files from compromised systems can contain persistent malware.”

What F5 Customers Should Do Next

The NCSC recommended F5 customers do the following:

• Read F5’s security advisory and Indicators of Compromise
• Isolate affected systems where possible and replace with a new, fully updated system – although this may cause a service outage
• Fully investigate for evidence of compromise in line with F5 guidance. If this isn’t possible, the affected system should be “erased/destroyed and rebuilt as new”
• Report any incidents of compromise to the NCSC 
• Update to the latest version of the product
• Apply appropriate security hardening
• Re-enable/reintroduce the affected system(s)
• Perform continuous threat hunting  

F5 products are popular targets for sophisticated threat actors, including nation states.

Last October the tech vendor revealed that a state-backed group had achieved “long-term, persistent access” to its own systems, stealing source code and undisclosed information about vulnerabilities in its products.