Vulnerability

CERT-In Vulnerability Note CIVN-2025-0097
Multiple Vulnerabilities F5 Products

Original Issue Date:May 15, 2025

Severity Rating: HIGH

Software Affected

BIG-IP Next (all modules)
BIG-IP Next Central Manager
BIG-IP Next SPK versions 1.7.0 - 1.9.2
BIG-IP Next CNF versions 1.1.0 - 1.4.0
BIG-IQ Centralized Management
F5 Distributed Cloud (all services)
F5 Silverline (all services)
NGINX One Console
F5OS-A
F5OS-C
NGINX (all products)
Traffix SDC

Overview

Multiple vulnerabilities have been reported in F5 products, including BIG-IP, NGINX, and related modules. An attacker could exploit these vulnerabilities to execute arbitrary commands, gain unauthorized access, or cause denial-of-service (DoS) conditions on targeted system.

Target Audience:
Enterprise IT Departments, Network Administrators and Security Professionals, Cloud and DevOps Teams, Web Application Developers, Service Providers and Managed Service Providers, Security Operations Teams, CIOs and IT Leaders.

Risk Assessment:
Critical risks on confidentiality, integrity, and availability of the systems.

Impact Assessment:
Unauthorized access to sensitive information, compromise of integrity and confidentiality.

Description

F5 primarily focuses on ensuring that applications are secure, high-performing, and available. They provide a range of products and services designed to optimize the delivery of applications across the internet and private networks, addressing performance, security, and scalability concerns.

1. Privilege Escalation Vulnerability ( CVE-2025-43878   )

A vulnerability exists in F5OS due to insufficient validation of user-supplied input. An authenticated user with the Administrator or Resource Administrator role can bypass Appliance mode restrictions by leveraging the tcpdump utility available through the system diagnostics interface on affected system.

2. Privilege Escalation Vulnerability ( CVE-2025-46265   )

A vulnerability exists in F5OS due to improper authorization. An authenticated user leveraging external authentication methods such as LDAP, RADIUS, or TACACS+ may be inadvertently granted higher-privileged roles within F5OS than intended.
Successfully exploitation of this vulnerability could allow an attacker to gain the unauthorized access to administrative functions or sensitive system capabilities, undermining the role-based access control model on affected system.

3. Command Injection Vulnerability ( CVE-2025-31644   )

This vulnerability in F5OS exists due to improper input validation within some iControl REST and BIG-IP TMOS Shell (tmsh) commands. A remote privileged user could exploit this vulnerability by sending a specially crafted input to the system and executing arbitrary OS commands with elevated privileges.
Successful exploitation of this vulnerability could enable the attacker to cross a security boundary on the affected system.

4. Incorrect Authorization Vulnerability ( CVE-2025-36546   )

This vulnerability exists in F5OS due to incorrect authorization controls that may allow unauthorized access to sensitive system components. A remote attacker could exploit this vulnerability to obtain access to the root users SSH private key.
Successfully exploitation of this vulnerability could a remote attacker to compromise the affected system.

5. BIG-IP SCTP Vulnerability ( CVE-2025-41399   )

This vulnerability exists in F5 BIG-IP due to improper resource shutdown or release when a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server. A remote attacker could exploit this vulnerability to send specially crafted traffic to the system and perform a denial of service (DoS) attack on the affected system.

6. BIG-IP HTTP/HTTP2 Vulnerabilities ( CVE-2025-36557   CVE-2025-41414   CVE-2025-36504   )

These vulnerabilities exist in BIG-IP HTTP / HTTP2 due to insufficient validation of HTTP/ HTTP2 traffic in TMM module. A remote attacker could exploit these vulnerabilities to send specially crafted HTTP2 traffic to the system and perform a denial of service (DoS) attack the affected system.

7. BIG-IP SIP ALG profile Vulnerability   ( CVE-2025-41433   )

This vulnerability exists in F5 BIG-IP SIP ALG profile due to a NULL pointer dereference error when a Session Initiation Protocol (SIP) message routing framework (MRF) application layer gateway (ALG) profile is configured on a Message Routing virtual server. A remote attacker could exploit this vulnerability to send specially crafted traffic to the system and perform a denial of service (DoS) attack.

8.   BIG-IP APM PingAccess Vulnerability ( CVE-2025-36525   )

This vulnerability exists in F5 BIG-IP APM PingAccess due to a boundary error when a BIG-IP APM PingAccess profile is configured on a virtual server. A remote attacker could exploit this vulnerability to send specially crafted traffic to the system and perform a denial of service (DoS) attack.

9. BIG-IP PEM Vulnerability ( CVE-2025-35995   )

This vulnerability exists in F5 BIG-IP PEM TMM module due to insufficient validation of user-supplied input when a BIG-IP PEM system is licensed with URL categorization, and the URL categorization policy or an iRule with the urlcat command is enabled on a virtual server. A remote attacker could exploit this vulnerability to send specially crafted input to the system and perform a denial of service (DoS) attack.

10. BIG-IP TMM Vulnerability ( CVE-2025-41431   )

This vulnerability exists in F5 BIG-IP TMM module due to a boundary error when connection mirroring is configured on a virtual server. A remote attacker could exploit this vulnerability to send specially crafted traffic to the device, trigger an out-of-bounds write and perform a denial of service (DoS) attack.

Solution

Apply appropriate security updates as mentioned in:
https://my.f5.com/manage/s/article/K000139502

https://my.f5.com/manage/s/article/K000139503

https://my.f5.com/manage/s/article/K000148591

https://my.f5.com/manage/s/article/K000140574

https://my.f5.com/manage/s/article/K000137709

https://my.f5.com/manage/s/article/K000139571

https://my.f5.com/manage/s/article/K000140968

https://my.f5.com/manage/s/article/K000140919

https://my.f5.com/manage/s/article/K000140937

https://my.f5.com/manage/s/article/K000150598

https://my.f5.com/manage/s/article/K000149952

https://my.f5.com/manage/s/article/K000150668

Vendor Information

References

CVE Name
CVE-2025-46265
CVE-2025-43878
CVE-2025-31644
CVE-2025-36546
CVE-2025-41399
CVE-2025-36557
CVE-2025-41414
CVE-2025-36504
CVE-2025-41433
CVE-2025-36525
CVE-2025-35995
CVE-2025-41431

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India