Skip to main content
Emerging ThreatsMalware & Ransomware

F5 BIG-IP Instances Vulnerable to Ongoing RCE Attacks

F5 BIG-IP Instances Vulnerable to Ongoing RCE Attacks

What happens when a widely deployed access gateway sits exposed while attackers are actively exploiting a vulnerability against it? Shadowserver’s recent count suggests the answer is: a lot of systems still at risk.

What Shadowserver found

Internet security watchdog Shadowserver has found over 14,000 F5 BIG‑IP Access Policy Manager (APM) instances exposed online amid ongoing attacks exploiting a critical‑severity remote code execution (RCE) vulnerability. Shadowserver reported the exposure and framed it against the backdrop of active exploitation of that RCE flaw.

The current situation, in plain terms

The fact set is concise: more than 14,000 BIG‑IP APM instances are reachable from the public internet, and attackers are already exploiting a critical RCE vulnerability targeting those systems. The combination — large numbers of exposed gateways plus active exploitation — creates a readily understood operational dilemma for organizations that rely on those devices.

Why it matters — perspectives to consider

  • Technologists: exposed gateway appliances are strategic junctions for network access. The presence of a critical RCE in actively targeted software raises urgent mitigation and containment questions for administrators responsible for those instances.
  • Operators and users: organizations that depend on exposed BIG‑IP APM appliances face decisions about immediate risk reduction, potential service disruption if changes are applied, and how to prioritize scarce operational resources.
  • Policymakers and risk managers: the scale of exposure reported by Shadowserver highlights a systemic visibility problem — tracking thousands of internet‑reachable, vulnerable access points — and suggests a need to evaluate incentives, guidance, or requirements for rapid remediation in critical infrastructure and enterprise fleets.
  • Adversaries: the combination of many exposed targets and an RCE vulnerability being actively exploited creates an attractive environment for opportunistic attackers to probe for easy gains.

Choices and trade‑offs facing organizations

Confronted with the facts Shadowserver put forward, organizations typically face a set of practical choices: confirm whether they operate exposed BIG‑IP APM instances; assess whether those instances are affected by the RCE in question; and decide on immediate mitigations versus longer‑term fixes. Each option carries trade‑offs — speed versus completeness, containment versus potential downtime — and must be weighed against the reality that active exploitation is already underway.

The narrow factual picture Shadowserver provides—exposure of more than 14,000 F5 BIG‑IP APM instances during active RCE attacks—may sound simple, but it places a complex, urgent decision in front of defenders: act now under pressure, or risk allowing ongoing exploitation to expand.

How many organizations will treat exposure as an emergency rather than an inconvenience?

https://www.bleepingcomputer.com/news/security/over-14-000-f5-big-ip-apm-instances-still-exposed-to-rce-attacks/