CVE-2025-58474
📋 TL;DR
This vulnerability affects BIG-IP Advanced WAF with SSRF protection or NGINX with App Protect Bot Defense, where undisclosed requests can disrupt new client connections. It causes denial of service by preventing legitimate traffic from being processed. Organizations using these specific F5 configurations are affected.
💻 Affected Systems
- BIG-IP Advanced WAF
- NGINX with App Protect Bot Defense
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for affected virtual servers, preventing legitimate client access to protected applications.
Likely Case
Intermittent service disruption where some legitimate client requests are blocked or delayed.
If Mitigated
Minimal impact with proper monitoring and quick response to any service degradation.
🎯 Exploit Status
Requires knowledge of specific undisclosed request patterns to trigger the disruption
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check F5 advisory K000148512 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000148512
Restart Required: No
Instructions:
1. Review F5 advisory K000148512 for affected versions. 2. Upgrade to fixed versions listed in advisory. 3. Apply configuration changes if specified in advisory.
🔧 Temporary Workarounds
Disable affected features temporarily
allTemporarily disable SSRF protection on BIG-IP or Bot Defense on NGINX until patched
# BIG-IP: Modify virtual server configuration to disable SSRF protection
# NGINX: Remove or disable App Protect Bot Defense directives
🧯 If You Can't Patch
- Implement rate limiting to reduce impact of disruptive requests
- Deploy additional monitoring for service disruption and implement automated failover
🔍 How to Verify
Check if Vulnerable:
Check if BIG-IP has SSRF protection enabled or NGINX has App Protect Bot Defense configured, then verify version against F5 advisoryCheck Version:
# BIG-IP: tmsh show sys version | grep Version
# NGINX: nginx -vVerify Fix Applied:
After patching, verify version is updated and test that legitimate client requests are no longer disrupted📡 Detection & Monitoring
Log Indicators:
- Sudden increase in blocked legitimate requests
- Unusual patterns in SSRF or bot defense logs
- Service disruption alerts
Network Indicators:
- Increased connection timeouts
- Legitimate clients unable to establish connections
- Abnormal traffic patterns to protected endpoints
SIEM Query:
source="f5-bigip" OR source="nginx" AND (message="connection refused" OR message="request blocked") AND NOT (user_agent="legitimate_bot")