—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Denial-of-Service (DoS) vulnerability in F5 BIG-IP Advanced WAF and ASM 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Systems Affected

BIG-IP Advanced WAF/ASM

17.5.0  

17.1.0 – 17.1.2

Overview

Multiple vulnerabilities in F5 BIG-IP Advanced WAF and ASM have been reported over time where undisclosed requests could cause the bd process to terminate, leading to a Denial-of-Service (DoS) condition.

Target Audience:

Enterprise IT Departments, Network Administrators and Security Professionals, Cloud and DevOps Teams, Web Application Developers, Service Providers and Managed Service Providers, Security Operations Teams, CIOs and IT Leaders.

Risk Assessment:

Critical risks on confidentiality, integrity, and availability of the systems.

Impact Assessment:

Unauthorized access to sensitive information, compromise of integrity and confidentiality.

Description

These Vulnerabilities exist in F5 BIG-IP Advanced WAF and ASM when an Advanced WAF or ASM security policy is configured with a URL that is greater than 1024 characters in length for the Data Guard Protection Enforcement setting, either manually or through the automatic Policy Builder, the bd process can terminate repeatedly.

Successfully exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to cause the DoS, particularly by using the automatic Policy Builder to trigger the long URL configuration.

Solution

Apply appropriate security updates as mentioned in:

https://my.f5.com/manage/s/article/K000156624

https://my.f5.com/manage/s/article/K000156621

https://my.f5.com/manage/s/article/K000154664

Vendor Information

F5

https://my.f5.com/manage/s/article/K000156572

References

F5

https://my.f5.com/manage/s/article/K000156624

https://my.f5.com/manage/s/article/K000156621

https://my.f5.com/manage/s/article/K000154664

CVE Name

CVE-2025-61938

CVE-2025-54858

CVE-2025-61935

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmjyL+IACgkQ3jCgcSdc

ys8lFQ//ZjHQWRNgFI9IlXOAKuZe4QKebi03hFt+W9sbS+0TZzg9wvPMYFwhM9Sj

Ov5tm9x+vq8l8zE+gZkpVIoNRnxS9acSfc6UPydE5/Xn5PamDRn5EPqJmtp5SfhE

f/zj8Ea9P5HMQ4KFkXJRZa8eWT5syFZM+U87VCPMrdWZFpzqkBvmwL4r7r+IbZaj

Bs7rxo6IADWPth/0qC+tyG2WAaKyua1npZvFiOrRsJIxkWBEq6frlB8ixNTYVI/V

KC0TS2oU6L7WkO6xaTHro6f4zhrMBQY9WeUVrwm6kpBOfuJOIKCKZiqb2b0E/y39

7jL04MiLfbGtez81rOzIhJvYWtgHP/4LFcXwgtsaq16ljugCmMAQsooDs+dBse7l

grJk7bQGbwxMjRpwgSm2Q4ClFfAqHIW4IUa6UanDzdv+Wu08saRttTx0f1wzsSi3

RveMXuiPLmWPIfHGPNFK45yIOhTrSTsBnltjgb5YU8W9/+HpEtQ0C0qp4A6CLHgK

0b6Z4abzGjdVTFVAtJiyksmIv3d4sYMV+qMZX4Mr884rA77nA02HUQfShcVec3qD

7uSvcgnRFNg1bAdmwj4JsHqG/C0Bol2deV6tjoVEb++m6CEAGw8De0/5ZbKOgGFA

EOVvc2dbkNm+LZiP57B7kldEUNNM55ENPZC++A3Rt5mtYT9IM1w=

=FktM

—–END PGP SIGNATURE—–