CVE-2025-22891
Published: 05 February 2025
Description
When BIG-IP PEM Control Plane listener Virtual Server is configured with Diameter Endpoint profile, undisclosed traffic can cause the Virtual Server to stop processing new client connections and an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Security Summary
CVE-2025-22891 is a denial-of-service vulnerability in F5 BIG-IP systems, specifically affecting the Policy Enforcement Manager (PEM) Control Plane listener Virtual Server when configured with a Diameter Endpoint profile. Undisclosed traffic sent to this configuration causes the Virtual Server to stop processing new client connections while also triggering an increase in memory resource utilization. This issue is classified under CWE-772 (Failed to Release Resource) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Note that software versions that have reached End of Technical Support (EoTS) were not evaluated.
The vulnerability can be exploited remotely by any unauthenticated attacker with network access to the affected Virtual Server, requiring low complexity and no user interaction. By sending the undisclosed traffic, an attacker can achieve a denial-of-service condition, halting new client connections and causing excessive memory consumption on the BIG-IP system.
For mitigation details, including affected versions and patches, refer to the F5 security advisory at https://my.f5.com/manage/s/article/K000139778.
Details
- CWE(s)