What happened

CISA added CVE-2025-53521 to the Known Exploited Vulnerabilities catalog on 2026-03-27, signaling confirmed in-the-wild exploitation CISA KEV. The flaw is a stack-based buffer overflow (CWE-121) in F5 BIG-IP Access Policy Manager (APM) that can enable remote code execution NVD entry. The affected product is identified as F5 BIG-IP in the public records for the CVE MITRE CVE record.

CISA’s entry sets a remediation due date of 2026-03-30 and instructs organizations to apply vendor mitigations or discontinue use if mitigations are unavailable, and to follow BOD 22-01 guidance where applicable CISA KEV. Inclusion in KEV means federal civilian agencies are required to remediate by the due date as part of CISA’s directive process CISA KEV.

Why it matters

A stack-based buffer overflow mapped to CWE-121 is classic memory corruption that can be driven to arbitrary code execution in vulnerable contexts NVD entry. Here, the context is F5 BIG-IP APM, with the vulnerability expressly described as enabling remote code execution against the device MITRE CVE record. RCE on enterprise infrastructure is high-impact because an attacker’s code runs with the privileges of the targeted process, enabling takeover paths on the appliance NVD entry.

KEV designation is not theoretical risk; it documents active exploitation and mandates rapid remediation timelines, with this entry carrying a 3-day window from addition to due date CISA KEV. That urgency reflects adversary focus on field-proven flaws and the need for immediate action over routine patch cycles CISA KEV.

Technical detail

The vulnerability is cataloged as a stack-based buffer overflow (CWE-121), indicating writes beyond the bounds of a stack-allocated buffer due to insufficient bounds checking, which is a common primitive for hijacking control flow NVD entry. Public records for CVE-2025-53521 explicitly state the affected technology as F5 BIG-IP APM and the potential impact as remote code execution MITRE CVE record. Tracking identifiers and authoritative metadata are available via NVD and MITRE for verification and ongoing updates NVD entry.

As of the KEV addition date, CISA’s catalog is the authoritative indicator of active exploitation for this CVE and sets the remediation requirement and due date for covered organizations CISA KEV. The technical description remains concise in public sources, but the CWE classification and RCE impact are sufficient to prioritize emergency response NVD entry.

Defense

Immediate actions:

• Validate exposure and asset inventory for F5 BIG-IP against CVE-2025-53521 and track updates via the CVE record NVD entry.
• Apply vendor mitigations without delay and follow BOD 22-01 guidance where applicable; discontinue use if mitigations are unavailable, per CISA’s directive language CISA KEV.
• Treat this as an active-exploitation incident class and execute your emergency change window before the CISA due date of 2026-03-30 CISA KEV.

Detection and monitoring:

• Prioritize detections for exploitation attempts tied to CVE-2025-53521 and patterns consistent with stack overflow abuse in line with CWE-121 class behavior (e.g., abnormal input sizes to stack-handling code paths) NVD entry.
• Continuously monitor authoritative feeds for revisions to the CVE description and references as details evolve MITRE CVE record.

Governance:

• Record remediation and verification status against the KEV entry to meet directive requirements and audit expectations for known-exploited vulnerabilities CISA KEV.

Lyrie Verdict

CVE-2025-53521 is a KEV-listed RCE in F5 BIG-IP APM under active exploitation pressure, with a near-immediate CISA due date CISA KEV. Lyrie treats KEV-designated RCEs as top-tier emergency signals and shifts autonomous detectors to those attack surfaces at machine speed—specifically prioritizing overflow-pattern telemetry aligned to CWE-121 behavior NVD entry. Bottom line: don’t wait for patch windows—instrument and enforce now, and verify against authoritative CVE metadata as it updates MITRE CVE record.