CVE-2025-23413 – BIG-IP Next Central Manager logs sensitive auth... (How to Fix)

Q: What is the severity of CVE-2025-23413?

CVE-2025-23413 has a CVSS score of 4.4 (MEDIUM). BIG-IP Next Central Manager logs sensitive authentication information in pgaudit log files when users log in via webUI or API using local authentication. This affects organizations using vulnerable versions of BIG-IP Next Central Manager for network management.

📋 TL;DR

BIG-IP Next Central Manager logs sensitive authentication information in pgaudit log files when users log in via webUI or API using local authentication. This affects organizations using vulnerable versions of BIG-IP Next Central Manager for network management.

💻 Affected Systems

Products:

F5 BIG-IP Next Central Manager

Versions: Versions prior to 1.5.0

Operating Systems: Not specified - appliance-based

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects local authentication methods, not external authentication sources. Software versions with End of Technical Support are not evaluated.

📦 What is this software?

Big Ip Next Central Manager by F5

View all CVEs affecting Big Ip Next Central Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with access to log files could obtain valid credentials and gain unauthorized access to the management system, potentially compromising the entire network infrastructure.

🟠

Likely Case

Insiders or attackers with existing access to log files could harvest credentials and escalate privileges within the management system.

🟢

If Mitigated

With proper log file permissions and access controls, the exposed information remains inaccessible to unauthorized users.

🌐 Internet-Facing: MEDIUM - If log files are accessible via web interfaces or misconfigured permissions, internet-facing systems could expose credentials.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could access logs containing sensitive authentication data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires access to log files but no special technical skills needed to read plaintext credentials.

Exploitation requires existing access to log files through file system access or log viewing interfaces.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.0 and later

Vendor Advisory: https://my.f5.com/manage/s/article/K000149185

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download BIG-IP Next Central Manager version 1.5.0 or later from F5 Downloads. 3. Follow F5 upgrade documentation for BIG-IP Next Central Manager. 4. Verify upgrade completion and functionality.

🔧 Temporary Workarounds

Restrict log file access

linux

Set strict file permissions on pgaudit log files to prevent unauthorized access.

chmod 600 /var/log/pgaudit/*
chown root:root /var/log/pgaudit/*

Use external authentication

all

Configure authentication through external sources (LDAP, RADIUS, SAML) instead of local authentication.

🧯 If You Can't Patch

Implement strict access controls on log directories and files
Regularly monitor and audit access to pgaudit log files

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP Next Central Manager version via webUI or CLI. Versions below 1.5.0 are vulnerable.

Check Version:

From CLI: show version | grep "BIG-IP Next Central Manager"

Verify Fix Applied:

After upgrading to 1.5.0+, verify that authentication attempts no longer log sensitive information in pgaudit logs.

📡 Detection & Monitoring

Log Indicators:

Plaintext credentials in pgaudit log files
Unauthorized access attempts to log directories

Network Indicators:

Unusual authentication patterns or log file access

SIEM Query:

source="pgaudit.log" AND ("password" OR "credential" OR "authentication")

📊 Metadata

CVE ID: CVE-2025-23413

CVSS v3 Score: 4.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: February 5, 2025

Last Updated: November 12, 2025

🔗 References

https://my.f5.com/manage/s/article/K000149185 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23413, you might also want to check these: