March 30, 2026

Big-IP? Big Yikes!

Article URL →HN comments →

Hackers now exploit critical F5 BIG-IP flaw in attacks, patch now

From “just a crash” to “full takeover” — IT teams fume over weekend patch scramble

TLDR: A widely used F5 login gateway flaw is now confirmed exploitable for full system takeover, and U.S. agencies must patch by Monday. Commenters are split between blaming F5’s late severity switch and calling out slow patchers, while memes about “weekend fire drills” flood timelines—because hijacked login doors are a nightmare.

Security folks are melting down after F5 said a bug in its BIG-IP APM—an access gateway many companies use to handle logins—wasn’t just a crash risk but a full remote takeover risk all along. Translation: attackers can hijack the box that sits in front of your apps. Cue the panic. F5’s updated advisory says it’s already being abused in the wild and urges checks for signs of break-ins, while CISA’s warning tells U.S. agencies to fix it by Monday night.

And the community? Spicy. The loudest chorus: “You reclassified this now? On a weekend?!” Admins complain they’re once again patching while their friends eat brunch, with one meme renaming APM to “Actually Patch Monday.” Others call it “Big-IP? Big Yikes.” There’s a split, though: some blame F5 for downplaying the bug as a simple crash, while defenders argue the fix was shipped and slow patching is the real villain. Meanwhile, Shadowserver says over 240,000 BIG-IP boxes are online, sparking fights over how many are actually at risk.

Jokes aside, pros are sharing checklists: scan logs, look for weird commands, follow forensics advice before wiping. The most cynical take came for CISA’s line to “discontinue use if mitigations are unavailable,” which spawned the meme: “Step 1: Unplug the internet.” Drama, dread, and dashboards—welcome to patch o’clock.

Key Points

  • CVE-2025-53521 in F5 BIG-IP APM has been reclassified from DoS to remote code execution and is being exploited in the wild.
  • F5 confirmed fixed versions remediate the RCE, published IOCs, and urged checks of disks, logs, and terminal history.
  • F5 advised organizations to follow internal forensic and evidence-collection policies before attempting recovery.
  • CISA added the flaw to its known exploited list and ordered U.S. federal agencies to secure affected systems by March 30.
  • Shadowserver reports over 240,000 BIG-IP instances exposed online, with unknown counts of vulnerable or patched systems.

Hottest takes

“DoS to RCE in March? That’s not a patch note, that’s a plot twist” — pagerduty-poet
“If your crown-jewel login box faces the internet naked, this one’s on you” — blame_the_firewall
“APM now means ‘Actually Patch Monday’—guess who’s working late” — weekendwarrior_sec

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.