Severity
High
Analysis Summary
CVE-2025-41399 CVSS:8.7
When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2025-36557 CVSS:8.7
When an HTTP profile with the Enforce RFC Compliance option is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2025-36504 CVSS:8.7
When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2025-31644 CVSS:8.7
When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command which may allow an authenticated attacker with administrator role privileges to execute arbitrary system commands. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Impact
- Gain Access
- Denial of Service
Indicators of Compromise
CVE
- CVE-2025-41399
- CVE-2025-36557
- CVE-2025-36504
- CVE-2025-31644
Affected Vendors
- F5
Affected Products
- F5 BIG-IP 17.5.0
- F5 BIG-IP 17.1.0 - 17.1.2.2
- F5 BIG-IP 16.1.0 - 16.1.6
- F5 BIG-IP 15.1.0 - 15.1.10.7
- F5 BIG-IP Next 20.0.1 - 20.2.1
- F5 BIG-IP Next SPK 1.8.0 - 2.0.0
- F5 BIG-IP Next SPK 1.7.0 - 1.7.12
- F5 BIG-IP Next CNF 2.0.0
- F5 BIG-IP Next CNF 1.1.0 - 1.3.0
Remediation
Refer to F5 Security Advisory for patch, upgrade, or suggested workaround information.