{"id":5072,"date":"2026-04-05T00:40:16","date_gmt":"2026-04-05T00:40:16","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/04\/05\/ncsc-urges-immediate-patching-of-f5-big-ip-bug\/"},"modified":"2026-04-05T00:40:16","modified_gmt":"2026-04-05T00:40:16","slug":"ncsc-urges-immediate-patching-of-f5-big-ip-bug","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/04\/05\/ncsc-urges-immediate-patching-of-f5-big-ip-bug\/","title":{"rendered":"NCSC Urges Immediate Patching of F5 BIG-IP Bug"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>UK organizations have been encouraged to immediately patch a critical new vulnerability in F5\u2019s BIG-IP Access Policy Manager\u00a0(APM) product currently under active exploitation.<\/p>\n<p>The National Cyber Security Centre (NCSC) explained that it is still \u201cworking to fully understand UK impact and any potential cases of active exploitation affecting UK networks.\u201d<\/p>\n<p>It added that CVE-2025-53521 could lead to remote code execution (RCE) \u201cwhen a BIG-IP APM access policy is configured on a virtual server.\u201d<\/p>\n<p>In a security advisory, F5 explained that the flaw was originally classified as a denial-of-service vulnerability with a CVSS score of 7.5. However, \u201cdue to new information obtained in March 2026\u201d the CVE is being re-categorized as an RCE flaw with a score of 9.8.<\/p>\n<p><em>Read more on F5 vulnerabilities: Firms Urged to Patch as Attackers Exploit Critical F5 Bugs<\/em><\/p>\n<p>The US Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to its Known Exploited Vulnerabilities (KEV) catalog and gave federal agencies up to midnight on March 30 to patch \u2013 reflecting the seriousness of the bug.<\/p>\n<p>&#8220;This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,&#8221; it said.<\/p>\n<p>F5 urged customers to consult their corporate security policy for incident handling guidelines including forensic best practices, in the event of compromise.<\/p>\n<p>\u201cMore specifically, review the policies to ensure that they comply with evidence collection and forensics procedures for a security incident before you attempt to recover the system,\u201d it added.<\/p>\n<p>\u201cAdditionally, if you do not know exactly when the system was compromised, your UCS [user configuration set] backups may have been created afterward, or both, F5 strongly recommends that you rebuild the configuration from scratch because UCS files from compromised systems can contain persistent malware.\u201d<\/p>\n<h2><strong>What F5 Customers Should Do Next<\/strong><\/h2>\n<p>The NCSC recommended F5 customers do the following:<\/p>\n<ul>\n<li>Read F5\u2019s\u00a0security advisory\u00a0and\u00a0Indicators of Compromise<\/li>\n<li>Isolate affected systems where possible and replace with a new, fully updated system \u2013 although this may cause a service outage<\/li>\n<li>Fully investigate for evidence of compromise in line with F5\u00a0guidance. If this isn\u2019t possible, the affected system should be \u201cerased\/destroyed and rebuilt as new\u201d<\/li>\n<li>Report any incidents of compromise to the NCSC\u00a0<\/li>\n<li>Update to the latest version of the product<\/li>\n<li>Apply appropriate security hardening<\/li>\n<li>Re-enable\/reintroduce the affected system(s)<\/li>\n<li>Perform continuous threat hunting \u00a0<\/li>\n<\/ul>\n<p>F5 products are popular targets for sophisticated threat actors, including nation states.<\/p>\n<p>Last October the tech vendor revealed that a state-backed group had achieved \u201clong-term, persistent access\u201d to its own systems, stealing source code and undisclosed information about vulnerabilities in its products.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>UK organizations have been encouraged to immediately patch a critical new vulnerability in F5\u2019s BIG-IP Access Policy Manager\u00a0(APM) product currently under active exploitation. The National Cyber Security Centre (NCSC) explained that it is still \u201cworking to fully understand UK impact and any potential cases of active exploitation affecting UK networks.\u201d It added that CVE-2025-53521 could<\/p>\n","protected":false},"author":2,"featured_media":5073,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5072","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5072-0de29d96-c15d-42c8-a47d-b3033a020412.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5072-0de29d96-c15d-42c8-a47d-b3033a020412-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5072-0de29d96-c15d-42c8-a47d-b3033a020412.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5072-0de29d96-c15d-42c8-a47d-b3033a020412.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5072-0de29d96-c15d-42c8-a47d-b3033a020412.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5072-0de29d96-c15d-42c8-a47d-b3033a020412.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5072-0de29d96-c15d-42c8-a47d-b3033a020412.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5072-0de29d96-c15d-42c8-a47d-b3033a020412.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5072-0de29d96-c15d-42c8-a47d-b3033a020412.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5072-0de29d96-c15d-42c8-a47d-b3033a020412.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5072-0de29d96-c15d-42c8-a47d-b3033a020412-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=5072"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5072\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/5073"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=5072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=5072"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=5072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}