CVE-2025-53474: 
F5 BIG-IP Virtual Edition vulnerability analysis and mitigation

CVE-2025-53474 is a vulnerability affecting F5's BIG-IP Access Policy Manager (APM) products discovered in October 2025. When an iRule using an ILX::call command is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. The vulnerability affects multiple versions of BIG-IP APM including versions 15.1.0-15.1.1.0.8, 16.1.0-16.1.6.1, 17.1.0-17.1.3, and 17.5.0-17.5.1 (NVD).

The vulnerability has been assigned a CVSS v4.0 base score of 8.7 HIGH (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) and a CVSS v3.1 base score of 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The vulnerability allows remote attackers to cause a denial of service by terminating the Traffic Management Microkernel through specially crafted traffic when an iRule with ILX::call command is configured (NVD).

The primary impact of this vulnerability is the potential for denial of service attacks against affected BIG-IP APM systems. When successfully exploited, it can cause the Traffic Management Microkernel (TMM) to terminate, disrupting the normal operation of the virtual server (NVD).

F5 has released patches for affected versions and strongly urges customers to update their BIG-IP software as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued emergency directive (ED) 26-01 requiring federal agencies to inventory F5 deployments, lock down internet-exposed management interfaces, and meet specific patch deadlines by October 22 and October 31, 2025 (Tenable).

The vulnerability disclosure came as part of a larger security incident where F5 revealed that a nation-state threat actor had maintained long-term access to their environment and exfiltrated portions of BIG-IP source code. This has raised significant concern in the security community, leading CISA to issue an emergency directive for federal agencies (Lansweeper).