Cyber Posture

CVE-2025-21087

High

Published: 05 February 2025

Published
05 February 2025
Modified
21 October 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0042 61.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

When Client or Server SSL profiles are configured on a Virtual Server, or DNSSEC signing operations are in use, undisclosed traffic can cause an increase in memory and CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Security Summary

CVE-2025-21087 is a denial-of-service vulnerability affecting F5 BIG-IP systems. It occurs when Client or Server SSL profiles are configured on a Virtual Server, or DNSSEC signing operations are in use, allowing undisclosed traffic to cause an increase in memory and CPU resource utilization. The issue is classified under CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By sending the undisclosed traffic to affected configurations, attackers can trigger excessive resource consumption, leading to degraded performance or complete denial of service due to high availability impact.

The F5 security advisory, available at https://my.f5.com/manage/s/article/K000134888, provides further details on the vulnerability.

Details

CWE(s)
CWE-400

Affected Products

f5
big-ip access policy manager
15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2
f5
big-ip advanced firewall manager
15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2
f5
big-ip advanced web application firewall
15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2
f5
big-ip analytics
15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2
f5
big-ip application acceleration manager
15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2
f5
big-ip application security manager
15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2
f5
big-ip application visibility and reporting
15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2
f5
big-ip automation toolchain
15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2
f5
big-ip carrier-grade nat
15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2
f5
big-ip container ingress services
15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2
+11 more product configuration(s) — see NVD for full list

References