CVE-2025-54854
📋 TL;DR
This vulnerability allows attackers to cause denial of service by sending specific traffic to BIG-IP APM systems with OAuth access profiles configured. The apmd process terminates, disrupting application access. Organizations running affected F5 BIG-IP APM versions with OAuth profiles are impacted.
💻 Affected Systems
- F5 BIG-IP APM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for applications behind the affected virtual server, requiring manual intervention to restore service.
Likely Case
Intermittent service disruptions and degraded performance as the apmd process restarts, potentially causing application timeouts.
If Mitigated
Minimal impact with proper network segmentation and traffic filtering preventing malicious packets from reaching vulnerable systems.
🎯 Exploit Status
Undisclosed traffic triggers the vulnerability, suggesting specific packet crafting is required but complexity appears low based on CVSS and description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Specific fixed versions available in F5 advisory K000156602
Vendor Advisory: https://my.f5.com/manage/s/article/K000156602
Restart Required: Yes
Instructions:
1. Review F5 advisory K000156602 for affected versions. 2. Upgrade to fixed version per F5 documentation. 3. Restart BIG-IP services after patching. 4. Verify OAuth functionality post-upgrade.
🔧 Temporary Workarounds
Remove OAuth profiles
allTemporarily remove OAuth access profiles from vulnerable virtual servers to eliminate attack vector.
tmsh delete ltm virtual <virtual_server_name> profiles oauth-profile
Network filtering
allImplement network ACLs to restrict traffic to affected virtual servers from trusted sources only.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks
- Deploy WAF or IPS with DoS protection rules in front of vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check if BIG-IP APM has OAuth access profiles configured on virtual servers using: tmsh list ltm virtual one-line | grep oauthCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify version is updated to fixed release: tmsh show sys version | grep Version📡 Detection & Monitoring
Log Indicators:
- apmd process termination logs in /var/log/apm
- Increased apmd restart events in system logs
- Application access failures correlating with apmd crashes
Network Indicators:
- Unusual traffic patterns to OAuth endpoints
- Increased TCP resets or connection failures to APM virtual servers
SIEM Query:
source="*apm*" AND ("terminated" OR "crashed" OR "restarting") AND process="apmd"