Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks
Thousands of F5 BIG-IP APM Devices Remain Vulnerable to Critical RCE Attacks
TL;DR
Despite ongoing exploitation attempts, over 14,000 F5 BIG-IP Access Policy Manager (APM) instances remain exposed to the internet with a critical remote code execution vulnerability. The Shadowserver Foundation's recent scan reveals the massive attack surface still available to threat actors targeting this widely-used enterprise networking infrastructure.
What Happened
The Shadowserver Foundation, a nonprofit organization that monitors internet security threats, conducted a scan revealing that more than 14,000 F5 BIG-IP APM instances remain accessible online despite active exploitation of a critical-severity remote code execution vulnerability, according to BleepingComputer reporting.
F5's BIG-IP APM (Access Policy Manager) is a widely deployed solution that provides secure remote access and identity management for enterprise networks. These devices often sit at critical network perimeters, making them high-value targets for attackers seeking initial network access.
Technical Analysis
The vulnerability in question affects F5's BIG-IP APM module, which handles authentication and access control for remote users connecting to corporate networks. Remote code execution flaws in such devices are particularly dangerous because they allow attackers to:
- Execute arbitrary commands with system-level privileges
- Establish persistent backdoors into corporate networks
- Pivot to internal systems and data
- Potentially compromise the entire network infrastructure
BIG-IP devices are frequently internet-facing to accommodate remote workers and business partners, significantly expanding the attack surface. When these devices are compromised, attackers gain a trusted position within the network perimeter, often bypassing other security controls.
Impact & Who's Affected
Organizations running vulnerable F5 BIG-IP APM instances face severe risks:
Immediate threats:
- Complete device compromise
- Network lateral movement
- Data exfiltration
- Service disruption
Affected organizations typically include:
- Large enterprises with remote workforce infrastructure
- Managed service providers
- Government agencies
- Financial institutions
- Healthcare organizations
The 14,000+ exposed instances represent a massive attack surface spanning global organizations that rely on F5's infrastructure for critical business operations.
What You Should Do
Immediate actions:
1. Inventory your F5 devices - Identify all BIG-IP APM instances in your environment
2. Apply patches immediately - Update to the latest firmware version addressing this vulnerability
3. Restrict network access - Limit internet exposure using allowlists where possible
4. Monitor for compromise - Check logs for suspicious authentication attempts or configuration changes
5. Implement additional controls - Deploy web application firewalls or reverse proxies as additional protection layers
Ongoing measures:
- Establish regular patching schedules for critical infrastructure
- Implement network segmentation to limit blast radius
- Monitor Shadowserver and F5 security advisories for future threats
The Bigger Picture
This situation highlights several persistent challenges in enterprise cybersecurity. Critical infrastructure devices often lag in patch deployment due to concerns about service disruption, creating extended vulnerability windows. The high number of exposed instances also demonstrates how internet-wide scanning by both defenders and attackers continues to be a crucial aspect of modern threat intelligence.
Organizations must balance accessibility requirements for remote work with security imperatives. The ongoing exploitation of this F5 vulnerability serves as a reminder that network perimeter devices require the same rigorous security attention as internal systems, if not more, given their external exposure and privileged network position.
Source: BleepingComputer analysis of Shadowserver Foundation scanning data