CVE-2025-24326
📋 TL;DR
A memory exhaustion vulnerability in F5 BIG-IP Advanced WAF/ASM when the Behavioral DoS TLS Signatures feature is enabled. Attackers can send specially crafted traffic to cause excessive memory consumption, potentially leading to denial of service. Affects BIG-IP systems with BADoS TLS Signatures configured.
💻 Affected Systems
- F5 BIG-IP Advanced WAF
- F5 BIG-IP ASM
📦 What is this software?
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete system outage due to memory exhaustion, causing denial of service for all applications behind the BIG-IP device.
Likely Case
Degraded performance and intermittent service disruptions as memory resources are consumed.
If Mitigated
Minimal impact with proper monitoring and resource limits in place.
🎯 Exploit Status
Exploitation requires sending specific traffic patterns but does not require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to F5 advisory K000140950 for fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000140950
Restart Required: No
Instructions:
1. Review F5 advisory K000140950 for affected versions. 2. Upgrade to fixed version listed in advisory. 3. No restart required for patch application.
🔧 Temporary Workarounds
Disable BADoS TLS Signatures
allTemporarily disable the Behavioral DoS TLS Signatures feature if not required
tmsh modify security dos device-config dos-device-config tls-signatures disabled
Implement Rate Limiting
allConfigure rate limiting policies to restrict traffic that could trigger the vulnerability
🧯 If You Can't Patch
- Disable Behavioral DoS TLS Signatures feature immediately
- Implement strict network segmentation and firewall rules to limit traffic to BIG-IP management interfaces
🔍 How to Verify
Check if Vulnerable:
Check if BADoS TLS Signatures is enabled: tmsh show security dos device-config dos-device-config | grep tls-signaturesCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify version is patched: tmsh show sys version | grep -i version📡 Detection & Monitoring
Log Indicators:
- Unusual memory consumption spikes in system logs
- BADoS process crashes or restarts
- High CPU usage by security processes
Network Indicators:
- Abnormal TLS handshake patterns
- Sudden increase in connection attempts to TLS services
SIEM Query:
source="bigip_logs" AND ("memory exhaustion" OR "BADoS" OR "tls-signatures")