好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户提供的文章是关于美国CISA将F5 BIG-IP AMP的一个漏洞加入已知被利用的漏洞目录。 首先,我需要通读整篇文章,抓住关键点。文章提到CISA将CVE-2025-53521漏洞加入KEV目录,CVSS评分9.8,属于严重漏洞。这个漏洞允许远程代码执行,影响BIG-IP APM的虚拟服务器。该漏洞最初被认为是DoS问题,后来重新分类为RCE,并且已经被积极利用。 接下来,我需要将这些信息浓缩到100字以内。重点包括:CISA加入目录、漏洞名称和评分、影响范围、漏洞类型变化以及修复要求。 然后,组织语言,确保简洁明了。例如:“美国网络安全机构CISA将F5 BIG-IP AMP中的严重漏洞CVE-2025-53521(CVSS 9.8)加入已知被利用漏洞目录。该漏洞可导致远程代码执行,影响配置访问策略的虚拟服务器。原为DoS问题,后升级为RCE并被积极利用。CISA要求联邦机构于2026年3月30日前修复。” 最后,检查字数是否在限制内,并确保信息准确无误。 </think> 美国网络安全机构CISA将F5 BIG-IP AMP中的严重漏洞CVE-2025-53521(CVSS 9.8)加入已知被利用漏洞目录。该漏洞可导致远程代码执行,影响配置访问策略的虚拟服务器。原为DoS问题,后升级为RCE并被积极利用。CISA要求联邦机构于2026年3月30日前修复。 2026-3-28 07:33:15 Author: securityaffairs.com(查看原文) 阅读量:5 收藏
U.S. CISA adds a flaw in F5 BIG-IP AMP to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in F5 BIG-IP AMP to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in F5 BIG-IP AMP, tracked as CVE-2025-53521 (CVSS ver. 3.1 score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability in BIG-IP APM allows specially crafted malicious traffic to trigger Remote Code Execution (RCE) when an access policy is enabled on a virtual server.
“When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).” reads the advisory. “Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.”
The flaw was previously classified as a Denial-of-Service (DoS) issue, which has been reclassified as a critical Remote Code Execution (RCE) flaw based on new findings in March 2026. Its severity has increased significantly, with higher CVSS scores. The original fix remains effective, but the flaw has been actively exploited in vulnerable BIG-IP versions.
“We have learned that this vulnerability has been exploited in the vulnerable BIG-IP versions below.” reads the vendor’s advisory.
F5 thanks Schuberg Philis, Bart Vrancken, Fox-IT, and the Dutch NCSC for their help in investigating the issue and ensuring a high-standard coordinated disclosure.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerability by March 30, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
如有侵权请联系:admin#unsafe.sh