CVE-2025-21091
📋 TL;DR
This vulnerability in F5 BIG-IP systems allows attackers to cause memory exhaustion through undisclosed SNMP requests when SNMP v1/v2c is disabled. This affects BIG-IP systems with vulnerable software versions, potentially leading to denial of service. Organizations running affected BIG-IP versions are at risk.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
⚠️ Risk & Real-World Impact
Worst Case
Complete system outage due to memory exhaustion, causing service disruption and potential cascading failures in dependent systems.
Likely Case
Degraded performance and intermittent service disruptions as memory resources are consumed, requiring system restarts.
If Mitigated
Minimal impact with proper network controls and monitoring in place to detect and block malicious requests.
🎯 Exploit Status
Exploitation requires sending specific undisclosed requests to the system. No authentication is required to trigger the memory consumption.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in: 17.1.0.3, 16.1.4.1, 15.1.10.2, 14.1.5.7, 13.1.5.4
Vendor Advisory: https://my.f5.com/manage/s/article/K000140933
Restart Required: No
Instructions:
1. Download appropriate patch from F5 Downloads. 2. Upload to BIG-IP system. 3. Install using tmsh: 'install sys software image <filename>'. 4. Verify installation.
🔧 Temporary Workarounds
Enable SNMP v1/v2c
allEnable SNMP v1 or v2c on the system to prevent exploitation of this vulnerability
tmsh modify sys snmp communities add { community-name <name> access ro source 0.0.0.0/0 version v1 }
tmsh save sys config
Restrict SNMP Access
allLimit SNMP access to trusted management networks only
tmsh modify sys snmp communities <community-name> source <trusted-network>
🧯 If You Can't Patch
- Implement strict network ACLs to limit SNMP traffic to trusted management networks only
- Enable comprehensive monitoring for abnormal memory usage patterns and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version with: 'tmsh show sys version' and compare against affected versions. Verify SNMP v1/v2c status with: 'tmsh list sys snmp'Check Version:
tmsh show sys version | grep -i versionVerify Fix Applied:
Verify installed version is patched: 'tmsh show sys version' should show fixed version. Check for abnormal memory usage patterns.📡 Detection & Monitoring
Log Indicators:
- Unusual SNMP request patterns in /var/log/ltm
- Rapid memory consumption alerts in system logs
- SNMP-related errors or warnings
Network Indicators:
- Unusual SNMP traffic patterns to BIG-IP systems
- Spike in SNMP requests from untrusted sources
SIEM Query:
source="bigip_logs" AND ("SNMP" OR "memory" OR "resource") AND ("error" OR "warning" OR "critical")