Vulnerability-Lookup

CERTFR-2026-ALE-004

Vulnerability from certfr_alerte - Published: 2026-03-31 - Updated: 2026-03-31

Le 15 octobre 2025, F5 a publié un avis de sécurité concernant entre autres la vulnérabilité CVE-2025-53521. Celle-ci affecte BIG-IP APM et permet à un attaquant non authentifié d'exécuter du code à distance.
Le 29 mars 2026, l'éditeur indique que cette vulnérabilité est exploitée activement.

Le CERT-FR recommande d'effectuer une recherche de compromission en s'appuyant sur les éléments documentés par F5 dans son billet de blogue [1] :

Indicateurs de compromission dans le système de fichiers :

la présence des fichiers /run/bigtlog.pipe ou /run/bigstart.ltm ;
des condensats des fichiers /usr/bin/umount et /usr/sbin/httpd différents de ceux des versions légitimes ;
des tailles de fichiers ou date de création des fichiers /usr/bin/umount et /usr/sbin/httpd différentes de celles des versions légitimes.

Indicateurs de compromission dans les journaux :

dans les fichiers /var/log/restjavad-audit.<NUMBER>.log, vérifier la présence d'entrées de la forme suivante, indiquant une requête iControl via API REST par un utilisateur local :

[ForwarderPassThroughWorker{"user":"local/f5hubblelcdadmin","method":"POST","uri":"http://localhost:8100/mgmt/tm/util/bash","status":200,"from":"Unknown"}

dans les fichiers /var/log/auditd/audit.log.<NUMBER>, vérifier la présence d'entrées de la forme suivante, indiquant des tentatives de désactivation du système SELinux lors d'une requête iControl via API REST :

msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

dans le fichier /var/log/audit, vérifier la présence d'entrées de la forme suivante :

user=f5hubblelcdadmin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash <VARIABLE_COMMAND>

Indicateurs de compromission lors d'exécutions de commandes de contrôle :

exécution de sys‑eicheck : il s'agit d'un vérificateur d’intégrité du système, composant logiciel installé sur les appliances BIG‑IP. Il s’appuie sur la fonctionnalité de vérification d’intégrité des paquets RPM et confronte les exécutables présents sur le disque aux empreintes (condensats) stockées dans la base de données RPM. Lorsqu’une différence est constatée, le système alerte les utilisateurs.

/usr/bin/umount

/usr/sbin/httpd

exécution de lsof -n : le système est compromis si la présence de /run/bigtlog.pipe est avérée.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
F5	BIG-IP	BIG-IP Access Policy Manager (tous les modules) versions 17.1.x antérieures à 17.1.3
F5	BIG-IP	BIG-IP Access Policy Manager (tous les modules) versions 15.1.x antérieures à 15.1.10.8
F5	BIG-IP	BIG-IP Access Policy Manager (tous les modules) versions 17.5.x antérieures à 17.5.1.3
F5	BIG-IP	BIG-IP Access Policy Manager (tous les modules) versions 16.1.x antérieures à 16.1.6.1

References

Title

Publication Time

Tags

Bulletin de sécurité F5 K000156741	2025-10-15	vendor-advisory
Considérations et conseils à suivre si vous soupçonnez une faille de sécurité sur un système BIG-IP	-	other
[1] Marqueur de compromission pour c05d5254	-	other
Avis CERT-FR CERTFR-2025-AVI-0886 du 16 octobre 2025	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "BIG-IP Access Policy Manager (tous les modules) versions 17.1.x ant\u00e9rieures \u00e0 17.1.3",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Access Policy Manager (tous les modules) versions 15.1.x ant\u00e9rieures \u00e0 15.1.10.8",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Access Policy Manager (tous les modules) versions 17.5.x ant\u00e9rieures \u00e0 17.5.1.3",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Access Policy Manager (tous les modules) versions 16.1.x ant\u00e9rieures \u00e0 16.1.6.1",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "closed_at": null,
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-53521",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53521"
    }
  ],
  "initial_release_date": "2026-03-31T00:00:00",
  "last_revision_date": "2026-03-31T00:00:00",
  "links": [
    {
      "title": "Consid\u00e9rations et conseils \u00e0 suivre si vous soup\u00e7onnez une faille de s\u00e9curit\u00e9 sur un syst\u00e8me BIG-IP",
      "url": "https://my.f5.com/manage/s/article/K11438344"
    },
    {
      "title": "[1] Marqueur de compromission pour c05d5254",
      "url": "https://my.f5.com/manage/s/article/K000160486"
    },
    {
      "title": "Avis CERT-FR CERTFR-2025-AVI-0886 du 16 octobre 2025",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-0886/"
    }
  ],
  "reference": "CERTFR-2026-ALE-004",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-03-31T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Le 15 octobre 2025, F5 a publi\u00e9 un avis de s\u00e9curit\u00e9 concernant entre autres la vuln\u00e9rabilit\u00e9 CVE-2025-53521. Celle-ci affecte BIG-IP APM et permet \u00e0 un attaquant non authentifi\u00e9  d\u0027ex\u00e9cuter du code \u00e0 distance.\u003cbr\u003e\nLe 29 mars 2026, l\u0027\u00e9diteur indique que cette vuln\u00e9rabilit\u00e9 est exploit\u00e9e activement.\n\nLe CERT-FR recommande d\u0027effectuer une recherche de compromission en s\u0027appuyant sur les \u00e9l\u00e9ments document\u00e9s par F5 dans son billet de blogue [1] :\n\u003col\u003e\n\u003cli\u003eIndicateurs de compromission dans le syst\u00e8me de fichiers :\u003c/li\u003e\n\u003cul\u003e\n\u003cli\u003ela pr\u00e9sence des fichiers \u003ccode\u003e/run/bigtlog.pipe\u003c/code\u003e ou \u003ccode\u003e/run/bigstart.ltm\u003c/code\u003e ;\u003c/li\u003e\n\u003cli\u003edes condensats des fichiers  \u003ccode\u003e/usr/bin/umount\u003c/code\u003e et \u003ccode\u003e/usr/sbin/httpd\u003c/code\u003e diff\u00e9rents de ceux des versions l\u00e9gitimes ;\u003c/li\u003e\n\u003cli\u003edes tailles de fichiers ou date de cr\u00e9ation des fichiers \u003ccode\u003e/usr/bin/umount\u003c/code\u003e et \u003ccode\u003e/usr/sbin/httpd\u003c/code\u003e diff\u00e9rentes de celles des versions l\u00e9gitimes.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cli\u003eIndicateurs de compromission dans les journaux :\u003c/li\u003e\n\u003cul\u003e\n\u003cli\u003edans les fichiers \u003ccode\u003e/var/log/restjavad-audit.\u0026lt;NUMBER\u0026gt;.log\u003c/code\u003e, v\u00e9rifier la pr\u00e9sence d\u0027entr\u00e9es de la forme suivante, indiquant une requ\u00eate iControl via API REST par un utilisateur local :\u003c/li\u003e\n\u003cpre\u003e\n[ForwarderPassThroughWorker{\"user\":\"local/f5hubblelcdadmin\",\"method\":\"POST\",\"uri\":\"http://localhost:8100/mgmt/tm/util/bash\",\"status\":200,\"from\":\"Unknown\"}\n\u003c/pre\u003e\n\u003cli\u003edans les fichiers \u003ccode\u003e/var/log/auditd/audit.log.\u0026lt;NUMBER\u0026gt;\u003c/code\u003e, v\u00e9rifier la pr\u00e9sence d\u0027entr\u00e9es de la forme suivante, indiquant des tentatives de d\u00e9sactivation du syst\u00e8me SELinux lors d\u0027une requ\u00eate iControl via API REST :\u003c/li\u003e\n\u003cpre\u003e\nmsg=\u0027avc: received setenforce notice (enforcing=0) exe=\"/usr/lib/systemd/systemd\" sauid=0 hostname=? addr=? terminal=?\u0027\n\u003c/pre\u003e\n\u003cli\u003edans le fichier \u003ccode\u003e/var/log/audit\u003c/code\u003e, v\u00e9rifier la pr\u00e9sence d\u0027entr\u00e9es de la forme suivante :\u003c/li\u003e\n\u003cpre\u003e\nuser=f5hubblelcdadmin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash \u0026lt;VARIABLE_COMMAND\u0026gt;\n\u003c/pre\u003e\nCette entr\u00e9e illustre un exemple de commande ex\u00e9cut\u00e9e et consign\u00e9e dans le journal d\u2019audit, corr\u00e9l\u00e9e \u00e0 la requ\u00eate iControl\u202fREST mentionn\u00e9e ci\u2011dessus.\n\u003c/ul\u003e\n\u003cli\u003eIndicateurs de compromission lors d\u0027ex\u00e9cutions de commandes de contr\u00f4le :\u003c/li\u003e\n\u003cul\u003e\n\u003cli\u003eex\u00e9cution de \u003ccode\u003esys\u2011eicheck\u003c/code\u003e : il s\u0027agit d\u0027un v\u00e9rificateur d\u2019int\u00e9grit\u00e9 du syst\u00e8me, composant logiciel install\u00e9 sur les appliances BIG\u2011IP. Il s\u2019appuie sur la fonctionnalit\u00e9 de v\u00e9rification d\u2019int\u00e9grit\u00e9 des paquets RPM et confronte les ex\u00e9cutables pr\u00e9sents sur le disque aux empreintes (condensats) stock\u00e9es dans la base de donn\u00e9es RPM. Lorsqu\u2019une diff\u00e9rence est constat\u00e9e, le syst\u00e8me alerte les utilisateurs.\u003c/li\u003e\n\nL\u0027ex\u00e9cution de cette commande peut indiquer des erreurs de conformit\u00e9, en particulier concernant les fichiers \u003ccode\u003e/usr/bin/umount\u003c/code\u003e ou \u003ccode\u003e/usr/sbin/httpd\u003c/code\u003e.\n\n\u003cli\u003eex\u00e9cution de \u003ccode\u003elsof -n\u003c/code\u003e : le syst\u00e8me est compromis si la pr\u00e9sence de \u003ccode\u003e/run/bigtlog.pipe\u003c/code\u003e est av\u00e9r\u00e9e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/ol\u003e",
  "title": "Vuln\u00e9rabilit\u00e9 dans F5 BIG-IP Access Policy Manager",
  "vendor_advisories": [
    {
      "published_at": "2025-10-15",
      "title": "Bulletin de s\u00e9curit\u00e9 F5 K000156741",
      "url": "https://my.f5.com/manage/s/article/K000156741"
    }
  ]
}

CVE-2025-53521 (GCVE-0-2025-53521)

Vulnerability from cvelistv5 – Published: 2025-10-15 13:55 – Updated: 2026-03-31 16:04

Title

BigIP APM Vulnerability

Summary

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-121 - Stack-based Buffer Overflow

Assigner

References

URL

Tags

https://my.f5.com/manage/s/article/K000156741

vendor-advisory

Impacted products

	Vendor	Product	Version
	F5	BIG-IP	Affected: 17.5.0 , < 17.5.1.3 (custom) Affected: 17.1.0 , < 17.1.3 (custom) Affected: 16.1.0 , < 16.1.6.1 (custom) Affected: 15.1.0 , < 15.1.10.8 (custom)

Date Public ?

2025-10-15 14:00

Credits

F5 would like to thank Kristian Vlaardingerbroek, Hugo Trippaers, and other people of Schuberg Philis; Bart Vrancken; Fox-IT; and the National Cyber Security Centre (NCSC) in the Netherlands for their assistance in investigating this issue and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53521",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-28T03:55:47.100165Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-03-27",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-29T13:56:45.917Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "APM"
          ],
          "product": "BIG-IP",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "17.5.1.3",
              "status": "affected",
              "version": "17.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "17.1.3",
              "status": "affected",
              "version": "17.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "16.1.6.1",
              "status": "affected",
              "version": "16.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "15.1.10.8",
              "status": "affected",
              "version": "15.1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "F5 would like to thank Kristian Vlaardingerbroek, Hugo Trippaers, and other people of Schuberg Philis; Bart Vrancken; Fox-IT; and the National Cyber Security Centre (NCSC) in the Netherlands for their assistance in investigating this issue and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2025-10-15T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).\u003c/span\u003e\u0026nbsp;\u0026nbsp;\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\u003c/span\u003e"
            }
          ],
          "value": "When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T16:04:27.360Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000156741"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "BigIP APM Vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2025-53521",
    "datePublished": "2025-10-15T13:55:52.694Z",
    "dateReserved": "2025-10-03T23:04:38.083Z",
    "dateUpdated": "2026-03-31T16:04:27.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2026-ALE-004

Solutions

CVE-2025-53521 (GCVE-0-2025-53521)

Tags

Sightings

Nomenclature