John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
A vulnerability that security teams had labeled denial-of-service, scored 7.5, and deprioritized for months just got reclassified as a 9.8 remote code execution bug. That’s the F5 BIG-IP situation in a sentence.
CVE-2025-53521 was disclosed in December. DoS. Annoying, but manageable. Then in March, F5 updated the advisory with new information: attackers are dropping webshells on unpatched BIG-IP devices right now. CISA gave federal agencies four days to patch something that had been sitting in queues for three months.
This week, it’s three vendors at once.
Citrix NetScaler has CVE-2026-3055, a 9.3, now under active exploitation after researchers confirmed the jump from reconnaissance to attacks. Ransomware operators have used NetScaler as an initial access path for years. They didn’t need much encouragement.
Fortinet FortiClient EMS has a SQL injection vulnerability that allows unauthenticated remote code execution on the endpoint management server. The fix has been available since December. If you’re on 7.4.4, you had the patch for months.
All three are perimeter and management infrastructure. The things that, if compromised, open the door to everything else. And all three are under active attack right now.
Patch F5 BIG-IP immediately and check F5 advisories K000156741 and K000486 for IOCs. Update Citrix to 14.1-66.59 or 13.1-62.23. Update Fortinet FortiClient EMS to 7.4.5.