CVE-2025-20058

High

Published: 05 February 2025

Published

05 February 2025

Modified

21 October 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0054 67.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20058 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely installation of vendor patches for the affected BIG-IP versions to prevent memory exhaustion from crafted traffic.

SC-5 Denial-of-service Protection good match

preventdetect

Provides denial-of-service protection mechanisms to detect and limit crafted traffic causing uncontrolled memory resource consumption on BIG-IP virtual servers.

SC-6 Resource Availability good match

prevent

Ensures resource availability by protecting memory from degradation due to denial-of-service events triggered by undisclosed traffic to message routing profiles.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

CVE enables remote unauthenticated exploitation of a public-facing BIG-IP virtual server (T1190) via crafted traffic to trigger resource exhaustion and DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

When a BIG-IP message routing profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Deeper analysisAI

CVE-2025-20058 is a denial-of-service vulnerability in F5 BIG-IP systems, specifically affecting configurations where a message routing profile is enabled on a virtual server. Undisclosed traffic directed at such a virtual server can trigger excessive memory resource utilization, classified under CWE-400 (Uncontrolled Resource Consumption). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for availability disruption without requiring authentication or user interaction. Only BIG-IP software versions still under technical support are evaluated for impact.

A remote, unauthenticated attacker can exploit this vulnerability by sending crafted traffic to the affected virtual server. Successful exploitation leads to increased memory consumption on the BIG-IP system, potentially resulting in resource exhaustion and denial-of-service conditions that impair the device's functionality and traffic processing capabilities.

F5 has published an advisory detailing the issue and mitigation strategies at https://my.f5.com/manage/s/article/K000140947. Security practitioners should consult this reference for specific affected versions, patch availability, and recommended configuration changes. Note that software versions at End of Technical Support (EoTS) are not evaluated.

Details

CWE(s): CWE-400

Affected Products

big-ip access policy manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip advanced firewall manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip advanced web application firewall

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip analytics

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip application acceleration manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip application security manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip application visibility and reporting

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip automation toolchain

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip carrier-grade nat

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip container ingress services

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

+11 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-21087Same product: F5 Big-Ip Access Policy Manager

CVE-2025-21091Same product: F5 Big-Ip Access Policy Manager

CVE-2025-20045Same product: F5 Big-Ip Access Policy Manager

CVE-2025-24320Same product: F5 Big-Ip Access Policy Manager

CVE-2025-20029Same product: F5 Big-Ip Access Policy Manager

CVE-2025-22846Same product: F5 Big-Ip Access Policy Manager

CVE-2025-23239Same product: F5 Big-Ip Access Policy Manager

CVE-2025-24312Same product: F5 Big-Ip Advanced Firewall Manager

CVE-2025-53521Same product: F5 Big-Ip Access Policy Manager

CVE-2025-22891Same product: F5 Big-Ip Policy Enforcement Manager

References

https://my.f5.com/manage/s/article/K000140947
Vendor Advisory · f5sirt@f5.com