CVE-2025-47148 – This vulnerability affects BIG-IP systems confi... (How to Fix)

Q: What is the severity of CVE-2025-47148?

CVE-2025-47148 has a CVSS score of 6.5 (MEDIUM). This vulnerability affects BIG-IP systems configured as both SAML service provider and identity provider with single logout enabled. Undisclosed requests can cause memory exhaustion, potentially leading to denial of service. Only systems with specific SAML SLO configurations are affected.

📋 TL;DR

This vulnerability affects BIG-IP systems configured as both SAML service provider and identity provider with single logout enabled. Undisclosed requests can cause memory exhaustion, potentially leading to denial of service. Only systems with specific SAML SLO configurations are affected.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: All supported versions prior to the fix

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when configured as both SAML SP and IdP with single logout enabled in an access policy

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability due to memory exhaustion, disrupting all services running on the BIG-IP device

🟠

Likely Case

Degraded performance or intermittent service disruptions as memory resources become constrained

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits in place

🌐 Internet-Facing: MEDIUM - Exploitation requires sending specific requests to SAML endpoints, which are typically internet-facing

🏢 Internal Only: LOW - Internal systems would need to be specifically targeted through authenticated channels

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires knowledge of SAML protocol and specific BIG-IP configuration. No public exploit details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check K000148816 for specific fixed versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000148816

Restart Required: No

Instructions:

1. Review K000148816 for applicable fixed versions. 2. Upgrade to recommended version. 3. Verify SAML SLO configuration remains functional.

🔧 Temporary Workarounds

Disable SAML Single Logout

all

Temporarily disable single logout functionality in SAML access policies

Navigate to Access > Federation > SAML Service Provider > [your SP] > Single Logout Settings > Disable

Implement Rate Limiting

all

Apply rate limiting to SAML endpoints to prevent request flooding

Configure rate limiting policies on virtual servers hosting SAML services

🧯 If You Can't Patch

Disable SAML single logout functionality in affected access policies
Implement strict network controls to limit access to SAML endpoints

🔍 How to Verify

Check if Vulnerable:

Check if BIG-IP is configured as both SAML SP and IdP with SLO enabled: Access > Federation > SAML configurations

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify version is updated to fixed release and monitor memory utilization during SAML operations

📡 Detection & Monitoring

Log Indicators:

Unusual memory utilization spikes
SAML SLO request patterns
System log warnings about memory pressure

Network Indicators:

High volume of SAML protocol traffic to SLO endpoints
Unusual request patterns to /saml endpoints

SIEM Query:

source="bigip_logs" AND ("memory high" OR "SAML SLO" OR "resource exhaustion")

📊 Metadata

CVE ID: CVE-2025-47148

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-404

EPSS Score: 0.13% exploit probability (32.7th percentile)

Published: October 15, 2025

Last Updated: October 21, 2025

🔗 References

https://my.f5.com/manage/s/article/K000148816 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47148, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable SAML Single Logout

Implement Rate Limiting

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities