For F5 BIG-IP APM customers, CVE-2025-53521 is being exploited in the wild by a nation state threat actor
It allows unauth RCE and applies to the data plane (not the management interface) - the one available over the internet.
https://my.f5.com/manage/s/article/K000156741
Attackers have been deploying webshells, so boxes are still vuln post patching if already exploited prior.
@GossiTheDog Given that F5 made a VERY big song and dance then that (a) they'd been penetrated by attackers with BRICKSTORM and (b) everyone should patch everything, like, right the fuck now, I would hope nothing too vital would still be vulnerable...
... okay, yes, I can now hear myself. [cries]
"Certain groups have gotten very good at popping edge protection devices...if you own //redacted// , //redacted// , or //redacted// ; assume you are compromised."
All the big boxes are getting hit so damn hard right now, it makes me wonder if you wouldn't be better off with a hand rolled solution...assuming you have the crew to build and maintain it.
Kevin Beaumont
Dr. David McBride (dwm)
John Timaeus