CVE-2025-21091

High

Published: 05 February 2025

Published

05 February 2025

Modified

21 October 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0063 70.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21091 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the memory leak flaw (CWE-401) in BIG-IP systems when SNMP v1/v2c is disabled by identifying, reporting, and applying vendor patches.

SC-5 Denial-of-service Protection good match

prevent

Enforces denial-of-service protections such as rate limiting and resource quotas to block unauthenticated requests causing memory exhaustion.

SC-6 Resource Availability good match

prevent

Protects memory resource availability from unauthorized depletion by the undisclosed requests targeting BIG-IP systems.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote unauthenticated exploitation of public-facing BIG-IP service triggers memory exhaustion DoS via crafted requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

When SNMP v1 or v2c are disabled on the BIG-IP, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Deeper analysisAI

CVE-2025-21091 affects F5 BIG-IP systems when SNMP v1 or v2c are disabled, allowing undisclosed requests to cause an increase in memory resource utilization. This vulnerability, published on 2025-02-05, is classified under CWE-401 (Memory Leak) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for availability impact.

Unauthenticated attackers with network access can exploit this issue with low attack complexity and no user interaction required. Exploitation involves sending the undisclosed requests, leading to memory exhaustion and potential denial-of-service conditions on the affected BIG-IP system.

Mitigation details are available in the F5 security advisory at https://my.f5.com/manage/s/article/K000140933. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated.

Details

CWE(s): CWE-401

Affected Products

big-ip access policy manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip advanced firewall manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip advanced web application firewall

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip analytics

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip application acceleration manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip application security manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip application visibility and reporting

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip automation toolchain

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip carrier-grade nat

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

big-ip container ingress services

15.1.0 — 15.1.10 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.2

+11 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-20058Same product: F5 Big-Ip Access Policy Manager

CVE-2025-20045Same product: F5 Big-Ip Access Policy Manager

CVE-2025-21087Same product: F5 Big-Ip Access Policy Manager

CVE-2025-24320Same product: F5 Big-Ip Access Policy Manager

CVE-2025-20029Same product: F5 Big-Ip Access Policy Manager

CVE-2025-22846Same product: F5 Big-Ip Access Policy Manager

CVE-2025-23239Same product: F5 Big-Ip Access Policy Manager

CVE-2025-24312Same product: F5 Big-Ip Advanced Firewall Manager

CVE-2025-22891Same product: F5 Big-Ip Policy Enforcement Manager

CVE-2025-24326Same product: F5 Big-Ip Application Security Manager

References

https://my.f5.com/manage/s/article/K000140933
Vendor Advisory · f5sirt@f5.com