← CIO Briefings · Critical Impact ACTION REQUIRED

Critical RCE in F5 Network Access Infrastructure — US Government Confirms Active Attacks

A vulnerability in F5 BIG-IP Access Policy Manager, the network gateway used by many organisations to control remote worker and partner access, has been reclassified as critical remote code execution with a CVSS score of 9.8. The US government has confirmed real-world attacks and mandated patching within three days. Organisations using BIG-IP APM for VPN, zero trust, or SSO access control should treat this as an emergency patching situation.

4 min read
#NIS2#DORA#ISO-27001

What Happened

A vulnerability in F5 BIG-IP Access Policy Manager — a product widely used to provide secure remote access, VPN services, and application access control for enterprise workforces — has been confirmed as actively exploited by the US Cybersecurity and Infrastructure Security Agency (CISA).

The vulnerability was originally disclosed in October 2025 as a relatively minor issue. On 27 March 2026, F5 updated its assessment to classify the flaw as critical remote code execution — the most severe category — after determining that attackers had found a way to use it to take full control of the affected appliance. CISA immediately added it to its Known Exploited Vulnerabilities catalogue, confirming government evidence of active attacks in the wild.

An attacker who successfully exploits this vulnerability gains control over the gateway through which remote workers and partners connect to the organisation. From that position, the attacker can intercept authenticated sessions, access connected applications, and move laterally into the internal network.

Business Impact

Remote access infrastructure is the target. F5 BIG-IP APM is specifically deployed as a gatekeeping layer for remote worker access, partner connectivity, and application delivery. An attacker who compromises this gateway does not need to break individual applications — they inherit the access of every user who authenticates through it.

Session theft without passwords. Successful exploitation can yield valid session tokens — the credentials that allow a user to access connected systems without re-entering their password. These stolen tokens provide access to email, internal portals, ERP systems, and anything else connected through the BIG-IP gateway.

Wide exposure window. Because the vulnerability was originally under-classified in October 2025, organisations that reviewed the original advisory and deferred patching have potentially been exposed for months. A forensic review of APM logs is warranted even after patching.

Cascading access risk. Organisations using BIG-IP APM as their single sign-on or zero trust network access (ZTNA) entry point expose every application in scope to any attacker who controls the gateway.

Regulatory Implications

NIS2: Essential and important entities must apply patches for actively exploited vulnerabilities without undue delay. CISA’s KEV listing and the US government’s three-day mandate confirm “undue delay” has effectively already passed for any organisation that has not yet patched.

DORA: Financial entities’ ICT risk management must address vulnerabilities in critical access infrastructure. BIG-IP APM sits at the intersection of network access and identity — its compromise is an ICT risk event of the highest priority for DORA-regulated institutions.

ISO 27001: Annex A.8.8 (technical vulnerability management) requires timely remediation of critical vulnerabilities. CISA KEV status constitutes confirmation that this vulnerability meets the “critical” threshold requiring expedited remediation.

Board-Ready Summary

  • The US government has confirmed active attacks targeting a widely-deployed network access product (F5 BIG-IP APM), which organisations use to provide secure remote access and single sign-on for employees and partners.
  • Attackers who exploit this vulnerability can take over the gateway and gain access to all connected systems as if they were authorised users — without needing individual passwords.
  • Organisations using F5 BIG-IP APM must apply the vendor patch immediately; any further delay represents confirmed, ongoing, unmitigated risk.

  1. Determine whether your organisation uses F5 BIG-IP APM within 2 hours. Contact your network infrastructure team and request version confirmation. If you use F5 for remote access or application delivery, this is a P1 incident now.

  2. Apply the F5 patch immediately. Invoke emergency change procedures. The patch is available for all supported version lines. Given confirmed active exploitation, every hour of delay is an hour of unmitigated critical risk.

  3. Review BIG-IP APM access logs going back to October 2025. The original vulnerability existed since then. Look for anomalous REST API access patterns, unexpected session creation, and APM process anomalies.

  4. Notify your CISO and CRO today. This is a board-level risk event: critical infrastructure compromise, US government confirmation of active attacks, and potential prior compromise dating back five months.

  5. Assess cyber insurance notification obligations. If exploitation is suspected from forensic log review, consult legal counsel on notification obligations under your cyber insurance policy and any applicable breach notification regulations.