CVE-2025-24312
📋 TL;DR
This vulnerability in BIG-IP AFM with IPS module enabled allows undisclosed traffic to cause excessive CPU utilization, potentially leading to denial of service. It affects F5 BIG-IP systems with AFM provisioned and IPS module enabled. Only supported software versions are affected.
💻 Affected Systems
- F5 BIG-IP Advanced Firewall Manager (AFM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system unavailability due to CPU exhaustion, causing denial of service for all traffic through affected virtual servers.
Likely Case
Degraded performance and intermittent service disruptions as CPU resources are consumed by malicious traffic.
If Mitigated
Minimal impact with proper traffic filtering and monitoring in place to detect and block exploitation attempts.
🎯 Exploit Status
Requires sending specific undisclosed traffic patterns to trigger CPU utilization. No authentication required to send traffic to affected services.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check F5 advisory K000141380 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000141380
Restart Required: No
Instructions:
1. Review F5 advisory K000141380 for affected versions. 2. Upgrade to fixed version per F5 documentation. 3. Verify IPS functionality post-upgrade.
🔧 Temporary Workarounds
Disable protocol inspection profiles
allRemove protocol inspection profiles from virtual servers, firewall rules, and policies to mitigate vulnerability
tmsh modify ltm virtual <virtual_server_name> profiles delete { <inspection_profile_name> }
Temporarily disable IPS module
allDisable IPS module in AFM configuration if protocol inspection is not required
tmsh modify security firewall dos-device-config dos-device-config <config_name> ips disabled
🧯 If You Can't Patch
- Implement strict network ACLs to limit traffic to affected virtual servers
- Deploy rate limiting and traffic shaping to prevent CPU exhaustion
🔍 How to Verify
Check if Vulnerable:
Check if AFM is provisioned with IPS enabled and protocol inspection profiles are configured: tmsh list security firewall dos-device-config | grep -A5 ipsCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify version is patched: tmsh show sys version | grep -i version, and confirm no abnormal CPU spikes during traffic📡 Detection & Monitoring
Log Indicators:
- High CPU utilization alerts in system logs
- IPS module restart events
- Virtual server performance degradation logs
Network Indicators:
- Unusual traffic patterns to virtual servers with IPS inspection
- Increased latency through affected services
SIEM Query:
source="bigip*" ("CPU utilization" > 90% OR "ips" AND "restart")