How ZeroPath Works
Back to Blog

F5 BIG-IP APM CVE-2025-53521: Brief Summary of Denial of Service Vulnerability

Short review of CVE-2025-53521 affecting F5 BIG-IP APM: a denial of service flaw caused by resource allocation issues in specific versions. Includes affected versions, technical details, and vendor security context.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-15

F5 BIG-IP APM CVE-2025-53521: Brief Summary of Denial of Service Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single malformed request can disrupt remote access for thousands of users relying on F5 BIG-IP APM. This vulnerability, CVE-2025-53521, allows unauthenticated attackers to remotely trigger a denial of service by crashing the core traffic engine on affected systems. Organizations using F5 BIG-IP Access Policy Manager for secure access and authentication services should review their deployments immediately.

About F5 Networks: F5 is a global leader in application delivery and security, with BIG-IP products deployed in enterprise, government, and cloud environments worldwide. Their solutions are critical for load balancing, access management, and application security, making vulnerabilities in these products highly impactful across industries.

Technical Information

CVE-2025-53521 is a resource allocation vulnerability classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw is present when a BIG-IP Access Policy Manager (APM) access policy is configured on a virtual server. If an attacker sends specially crafted but undisclosed traffic to the affected virtual server, the Traffic Management Microkernel (TMM) process will terminate and restart.

  • The vulnerability is remotely exploitable without authentication.
  • The root cause is insufficient resource management in APM policy processing, allowing certain traffic patterns to exhaust or mismanage system resources.
  • TMM termination leads to temporary disruption of all traffic handled by the BIG-IP device until the process restarts.

F5 has not disclosed the exact nature of the triggering traffic, limiting defenders' ability to create specific detection signatures. The issue is not a traditional crash but a protective termination of TMM when resource thresholds are exceeded or mismanaged during policy evaluation.

Affected Systems and Versions

CVE-2025-53521 affects the following F5 BIG-IP APM versions when an access policy is configured on a virtual server:

  • BIG-IP APM 17.5.0 through 17.5.1
  • BIG-IP APM 17.1.0 through 17.1.2
  • BIG-IP APM 16.1.0 through 16.1.5 (or 16.1.6 per some advisories)
  • BIG-IP APM 15.1.0 through 15.1.10

Fixed versions are:

  • 17.5.1.3 or later
  • 17.1.3 or later
  • 16.1.6.1 or later
  • 15.1.10.8 or later

Only systems with an APM access policy configured on a virtual server are vulnerable.

Vendor Security History

F5 has previously addressed critical vulnerabilities in BIG-IP components, including:

  • CVE-2020-5902: Remote code execution in TMUI, exploited in the wild within days of disclosure
  • CVE-2023-46747: Authentication bypass and remote code execution in TMUI
  • Multiple denial of service flaws in TMM and APM modules

F5 has improved its patch response with quarterly advisories and backported fixes for supported versions. However, recurring issues in TMM and APM indicate ongoing challenges in securing complex traffic management code.

References

Detect & fix
what others miss

Get startedBook a demo