TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources APPLICATION SECURITY CYBERATTACKS & DATA BREACHES CYBER RISK VULNERABILITIES & THREATS NEWS Fortinet BIG-IP Vulnerability Reclassified as RCE, Under Exploitation CVE-2025-53521 was initially disclosed in October as a high-severity denial-of-service (DoS) flaw, but new information has revealed the bug is actually much more dangerous. Rob Wright,Senior News Director,Dark Reading March 30, 2026 4 Min Read SOURCE: DANNY NEBRASKA VIA ALAMY STOCK PHOTO A critical security vulnerability in Fortinet's BIG-IP application security product line, which was first disclosed in October as a high-severity denial-of-service (DoS) flaw, is under active exploitation in the wild. Fortinet on Saturday also re-categorized CVE-2025-53521 as a remote code execution (RCE) flaw with a 9.8 CVSS score. The vulnerability initially was disclosed and patched on Oct. 15, when it was described as a DoS bug for the BIG-IP Access Policy Manager, with a CVSS score of 7.5. Because of "new information obtained in March 2026," the CVE was revised as an RCE flaw with a significantly higher severity rating, according to Fortinet's updated advisory. It's unclear what the new information entailed. Dark Reading contacted Fortinet for comment but the company did not respond by press time. CVE-2025-53521 Under Attack Fortinet also warned in the updated advisory that CVE-2025-53521 has been exploited in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on Friday. Related:Storm Brews Over Critical, No-Click Telegram Flaw According to Fortinet, a threat actor can exploit the critical bug by sending "specific malicious traffic" to virtual servers configured with BIG-IP AMP, which would give them RCE capabilities. BIG-IP AMP versions 17.5.0 to 17.5.1, 17.1.0 to 17.1.2, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10 are vulnerable. Fortinet urged customers to upgrade to a fixed version. The network security vendor also said BIG-IP systems in running in appliance mode, which restricts administrative access to the systems, are still vulnerable to the flaw. Fortinet separately published indicators of compromise (IoCs) for the exploitation activity against CVE-2025-53521. The company noted that in cases of the successful deployment of malicious software tracked as c05d5254, organizations may detect files on disk such as /run/bigtlog.pipe and /run/bigstart.ltm, as well as mismatches of file sizes, hashes, and timestamps for known good versions of known good versions of /usr/bin/umount and /usr/sbin/httpd. The IoCs also included log entries, commands, and other tactics, techniques, and procedures used by the attackers. Cybersecurity vendor Defused, meanwhile, said it observed scanning activity for CVE-2025-53521 following the addition of the flaw to CISA's KEV catalog. "This actor is hitting /mgmt/shared/identified-devices/config/device-info, which is a F5 BIG-IP REST API endpoint used to retrieve system-level information, such as hostname, machine ID, and base MAC address," Defused said on Friday in a post on social media platform X. Related:Google Sets 2029 Deadline for Quantum-Safe Cryptography It's unclear when the exploitation activity first began. Simo Kohonen, founder and CEO of Defused, tells Dark Reading that his company's BIG-IP honeypots are "more or less under attack consistently." However, he says the company has observed some notable changes in the threat activity since Friday, including new ways of fingerprinting F5 instances. "Generic mass exploiters consistently use the same type of payload, but we've observed minor deviations to the payloads in the past week, which suggests more actors out there are looking at mapping out F5 infrastructure," Kohonen says. More Trouble for Fortinet Customers? In addition to the attacks on CVE-2025-53521, Defused flagged exploitation activity against another Fortinet vulnerability affecting the FortiClient Endpoint Management Server (EMS). CVE-2026-21643 is a critical SQL injection flaw, first disclosed and patched on Feb. 6, that could give an attacker RCE capabilities. Defused noted in another X post on Saturday that its honeypot data revealed exploitation activity had begun four days earlier: "Attackers can smuggle SQL statements through the "Site"-header inside an HTTP request. According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed." Related:AI-Powered Dependency Decisions Introduce, Ignore Security Bugs CISA has not added CVE-2026-21643 to the KEV catalog, and Fortinet has not confirmed exploitation activity for that particular bug. Kohonen says there doesn't appear to be any overlap between the attacks. "The IP addresses targeting the FortiClient vulnerability seem to be dedicated to exploiting that system alone," he says. "We run a comparison engine on all incoming attacks to see if the observed IP has ever been seen in any other honeypot type, and so far, all of them are unique to FortiClient." Fortinet products have been frequently targeted by a wide range of threat actors. Last year, nation-state attackers breached Fortinet and stole sensitive data, including source code for the BIG-IP platform. Earlier this year, threat actors exploited a critical zero-day flaw that allowed them to login into customer systems via FortiCloud's single sign-on (SSO) feature. Given the increased risk posed by CVE-2025-53521, as well as the report exploitation activity against CVE-2026-21643, Fortinet customers should update their software and review their systems for any signs of compromise. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY Oracle Cloud Users Urged to Take Action by Jai Vijayan, Contributing Writer MAR 31, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential