The U.S This article explores vulnerabilities kev cve. . Cybersecurity and Infrastructure Security Agency (CISA) added a serious security hole to its list of Known Exploited Vulnerabilities (KEV).
CVE-2025-53521 (CVSS v4 score: 9.3) is the vulnerability in question. It could let a threat actor run code from a distance. When you set up a BIG-IP APM access policy on a virtual server, certain types of bad traffic can cause Remote Code Execution (RCE), according to a description of the flaw on CVE.org.
F5 said that the shortcoming was first identified and fixed as a denial-of-service (DoS) vulnerability with a CVSS v 4 score of 8.7. However, the company said it has since been reclassified as a case of RCE based on "new information obtained in March 2026." Other TTPs seen include changes to the parts that the system integrity checker, sys-eicheck, needs to work.
Changes to the parts that sys-eicheck, the system integrity checker, depends on, which caused the tool to fail. The BIG-IP system sends HTTP/S traffic that has HTTP 201 response codes and a CSS content type to hide what the attacker is doing. Because of active exploitation, the Federal Civilian Executive Branch (FCEB) has until March 30, 2026, to apply the fixes to make their networks safe.
"Fast forward to the big "yikes" moment of today: things have changed a lot. What we're seeing now is pre-auth remote code execution and proof of exploitation in the wild, along with a CISA KEV listing to back it up. F5 says, "That's a very different risk profile than what was first communicated."
The problem affects versions 17.5.0 to 17.5.1, but it has been fixed in version 17.1.3.
