CVE-2025-21087
📋 TL;DR
This vulnerability allows attackers to cause resource exhaustion on F5 BIG-IP systems by sending specific traffic to SSL/TLS or DNSSEC configurations. It affects systems with Client or Server SSL profiles configured on Virtual Servers or DNSSEC signing operations. The attack leads to increased memory and CPU utilization, potentially causing service degradation.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service due to resource exhaustion, rendering affected services unavailable until system restart or traffic mitigation.
Likely Case
Performance degradation and intermittent service disruptions affecting SSL/TLS or DNS services.
If Mitigated
Minimal impact with proper traffic filtering and monitoring in place.
🎯 Exploit Status
Attack requires sending specific traffic patterns but no authentication needed. Complexity is low as it involves traffic generation rather than complex exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check F5 advisory K000134888 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000134888
Restart Required: No
Instructions:
1. Review F5 advisory K000134888 for affected versions. 2. Upgrade to patched version specified in advisory. 3. Apply patch following F5 standard upgrade procedures. 4. Verify patch application through version check.
🔧 Temporary Workarounds
Traffic Filtering
allImplement network filtering to block malicious traffic patterns that trigger the vulnerability
Resource Monitoring
allIncrease monitoring of CPU and memory utilization on affected systems with alert thresholds
🧯 If You Can't Patch
- Implement strict network ACLs to limit traffic to SSL/TLS and DNS services
- Deploy rate limiting and DDoS protection for affected services
🔍 How to Verify
Check if Vulnerable:
Check if system has Client or Server SSL profiles on Virtual Servers OR DNSSEC signing enabled, then compare version against F5 advisoryCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify system version matches patched version in F5 advisory and monitor for abnormal resource utilization📡 Detection & Monitoring
Log Indicators:
- Unusual spikes in CPU/memory utilization
- Increased SSL/TLS or DNS error rates
- Resource exhaustion alerts
Network Indicators:
- Abnormal traffic patterns to SSL/TLS ports (443, 465, 993, 995) or DNS port 53
- Increased connection attempts to affected services
SIEM Query:
source="bigip_logs" AND ("high cpu" OR "high memory" OR "resource exhaustion") AND ("ssl" OR "tls" OR "dnssec")