Analysis Summary

CVE-2025-41399 CVSS:8.7

When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-36557 CVSS:8.7

When an HTTP profile with the Enforce RFC Compliance option is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-36504 CVSS:8.7

When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-31644 CVSS:8.7

When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command which may allow an authenticated attacker with administrator role privileges to execute arbitrary system commands. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Impact

• Gain Access
• Denial of Service

Indicators of Compromise

CVE

• CVE-2025-41399
• CVE-2025-36557
• CVE-2025-36504
• CVE-2025-31644

Affected Vendors

Remediation

Refer to F5 Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2025-41399

CVE-2025-36557

CVE-2025-36504

CVE-2025-31644