CVE-2025-53521 in F5 BIG-IP Access Policy Manager is actively exploited and listed in the CISA KEV catalog with a federal remediation deadline of 2026-03-30 — effectively immediate. Unauthenticated RCE on a network access gateway represents one of the highest blast-radius scenarios in enterprise environments, with potential for direct lateral movement into internal networks and VPN-protected infrastructure. Patch using F5 advisory K000156741 immediately; treat any BIG-IP APM instance with internet exposure as potentially compromised until verified.