CVE-2025-21087

High

Published: 05 February 2025

Published

05 February 2025

Modified

21 October 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0042 61.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21087 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 38.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the software flaw in F5 BIG-IP causing uncontrolled CPU and memory consumption from undisclosed traffic when SSL profiles or DNSSEC signing are enabled.

SC-5 Denial-of-service Protection good match

preventdetect

Protects against denial-of-service resource exhaustion triggered by specific traffic to virtual servers with Client/Server SSL profiles or DNSSEC operations.

SC-6 Resource Availability good match

prevent

Ensures availability of CPU and memory resources against excessive utilization from the CVE's uncontrolled consumption vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Direct remote exploitation of the resource exhaustion flaw (CWE-400) in a public-facing network appliance enables Endpoint Denial of Service via Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

When Client or Server SSL profiles are configured on a Virtual Server, or DNSSEC signing operations are in use, undisclosed traffic can cause an increase in memory and CPU resource utilization. Note: Software versions which have reached End of Technical…

Support (EoTS) are not evaluated

Deeper analysisAI

CVE-2025-21087 is a denial-of-service vulnerability affecting F5 BIG-IP systems. It occurs when Client or Server SSL profiles are configured on a Virtual Server, or DNSSEC signing operations are in use, allowing undisclosed traffic to cause an increase in memory and CPU resource utilization. The issue is classified under CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By sending the undisclosed traffic to affected configurations, attackers can trigger excessive resource consumption, leading to degraded performance or complete denial of service due to high availability impact.

The F5 security advisory, available at https://my.f5.com/manage/s/article/K000134888, provides further details on the vulnerability.

Details

CWE(s): CWE-400

Affected Products

big-ip access policy manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip advanced firewall manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip advanced web application firewall

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip analytics

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip application acceleration manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip application security manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip application visibility and reporting

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip automation toolchain

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip carrier-grade nat

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip container ingress services

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

+11 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-20058Same product: F5 Big-Ip Access Policy Manager

CVE-2025-21091Same product: F5 Big-Ip Access Policy Manager

CVE-2025-20045Same product: F5 Big-Ip Access Policy Manager

CVE-2025-24320Same product: F5 Big-Ip Access Policy Manager

CVE-2025-22846Same product: F5 Big-Ip Access Policy Manager

CVE-2025-20029Same product: F5 Big-Ip Access Policy Manager

CVE-2025-22891Same product: F5 Big-Ip Policy Enforcement Manager

CVE-2025-24326Same product: F5 Big-Ip Application Security Manager

CVE-2025-23412Same product: F5 Big-Ip Access Policy Manager

CVE-2025-23239Same product: F5 Big-Ip Access Policy Manager

References

https://my.f5.com/manage/s/article/K000134888
Vendor Advisory · f5sirt@f5.com