Over 14,000 F5 BIG-IP APM Instances Remain Exposed to Active Remote Code Execution Attacks

Internet security watchdog Shadowserver has identified more than 14,000 F5 BIG-IP Access Policy Manager instances exposed online that remain vulnerable to a critical remote code execution vulnerability, even as attacks exploiting the flaw are actively ongoing, according to BleepingComputer. The vulnerability, rated critical severity, allows an unauthenticated attacker to execute arbitrary code on affected BIG-IP systems. BIG-IP is widely deployed by enterprises, government agencies, and telecommunications providers as an application delivery controller and load balancer, making the exposure particularly significant from a blast-radius perspective. F5 released patches for the vulnerability and issued a security advisory urging customers to update affected systems. Despite the availability of fixes and public disclosure of active exploitation, Shadowserver's internet-wide scanning found a substantial number of instances remain unpatched and directly reachable from the internet. The gap between patch availability and actual patch deployment is a persistent problem in enterprise security. BIG-IP devices often sit at the network perimeter handling critical traffic flows, and operators may delay patching due to concerns about service interruption or the complexity of change management processes in large organizations. F5 BIG-IP has been targeted in previous high-profile exploitation campaigns. In 2020 and 2021, threat actors including nation-state groups and ransomware operators exploited earlier BIG-IP vulnerabilities to gain initial network access at government and financial sector targets. Organizations running BIG-IP APM are advised to apply the available patches immediately, restrict management interface access to trusted IP ranges, and review logs for signs of exploitation activity predating the patch.