CVE-2025-36504
📋 TL;DR
This vulnerability affects F5 BIG-IP systems with HTTP/2 httprouter profiles configured on virtual servers. Undisclosed HTTP/2 responses can cause memory exhaustion, potentially leading to denial of service. Only systems with specific HTTP/2 configurations are affected.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Next Cloud Native Network Functions by F5
View all CVEs affecting Big Ip Next Cloud Native Network Functions →
⚠️ Risk & Real-World Impact
Worst Case
Complete system unavailability due to memory exhaustion causing denial of service for all services on the affected BIG-IP device.
Likely Case
Degraded performance and intermittent service disruptions as memory resources become constrained.
If Mitigated
Minimal impact with proper monitoring and resource limits in place, though some performance degradation may occur.
🎯 Exploit Status
Exploitation requires sending specific HTTP/2 responses to trigger memory exhaustion. No authentication needed if HTTP/2 service is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check F5 advisory K000140919 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000140919
Restart Required: Yes
Instructions:
1. Review F5 advisory K000140919 for affected versions. 2. Upgrade to fixed version per F5 documentation. 3. Restart BIG-IP services after patching. 4. Verify HTTP/2 functionality post-upgrade.
🔧 Temporary Workarounds
Disable HTTP/2 httprouter profile
allRemove or disable HTTP/2 httprouter profile configuration from vulnerable virtual servers
tmsh modify ltm virtual <virtual_server_name> profiles delete { http2 }
Implement rate limiting
allConfigure rate limiting on HTTP/2 traffic to reduce impact
tmsh create ltm profile http2 <profile_name> settings { rate-limit <value> }
🧯 If You Can't Patch
- Disable HTTP/2 httprouter profiles on all virtual servers
- Implement strict network segmentation and limit HTTP/2 traffic to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check if any virtual servers have HTTP/2 httprouter profiles configured using: tmsh list ltm virtual one-line | grep http2Check Version:
tmsh show sys versionVerify Fix Applied:
Verify HTTP/2 profiles are removed or system is upgraded to fixed version, then test HTTP/2 functionality📡 Detection & Monitoring
Log Indicators:
- Unusual memory usage spikes in /var/log/ltm
- HTTP/2 connection errors in application logs
- System log entries indicating memory exhaustion
Network Indicators:
- Abnormal HTTP/2 traffic patterns
- Increased TCP retransmissions to BIG-IP HTTP/2 services
SIEM Query:
source="bigip_logs" AND ("memory exhaustion" OR "http2" AND "error")