CVE-2025-20058

CVE-2025-20058 is a denial-of-service vulnerability in F5 BIG-IP systems, specifically affecting configurations where a message routing profile is enabled on a virtual server. Undisclosed traffic directed at such a virtual server can trigger excessive memory resource utilization, classified under CWE-400 (Uncontrolled Resource Consumption). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for availability disruption without requiring authentication or user interaction. Only BIG-IP software versions still under technical support are evaluated for impact.

A remote, unauthenticated attacker can exploit this vulnerability by sending crafted traffic to the affected virtual server. Successful exploitation leads to increased memory consumption on the BIG-IP system, potentially resulting in resource exhaustion and denial-of-service conditions that impair the device's functionality and traffic processing capabilities.

F5 has published an advisory detailing the issue and mitigation strategies at https://my.f5.com/manage/s/article/K000140947. Security practitioners should consult this reference for specific affected versions, patch availability, and recommended configuration changes. Note that software versions at End of Technical Support (EoTS) are not evaluated.