CVE-2025-22891
Published: 05 February 2025
Summary
CVE-2025-22891 is a high-severity Missing Release of Resource after Effective Lifetime (CWE-772) vulnerability in F5 Big-Ip Policy Enforcement Manager. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 38.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring identification, reporting, and timely remediation of the specific BIG-IP PEM flaw causing resource exhaustion via vendor patches.
Protects the Virtual Server against denial-of-service from undisclosed traffic by implementing mechanisms to limit effects like halted connections and memory exhaustion.
Safeguards memory and processing resources from unauthorized depletion and exhaustion triggered by malformed Diameter traffic targeting the PEM Control Plane.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated vulnerability in a public-facing Virtual Server that can be triggered by specific traffic to cause service unavailability and resource exhaustion, directly enabling Application or System Exploitation for denial of service.
NVD Description
When BIG-IP PEM Control Plane listener Virtual Server is configured with Diameter Endpoint profile, undisclosed traffic can cause the Virtual Server to stop processing new client connections and an increase in memory resource utilization. Note: Software versions which have reached…
more
End of Technical Support (EoTS) are not evaluated.
Deeper analysisAI
CVE-2025-22891 is a denial-of-service vulnerability in F5 BIG-IP systems, specifically affecting the Policy Enforcement Manager (PEM) Control Plane listener Virtual Server when configured with a Diameter Endpoint profile. Undisclosed traffic sent to this configuration causes the Virtual Server to stop processing new client connections while also triggering an increase in memory resource utilization. This issue is classified under CWE-772 (Failed to Release Resource) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Note that software versions that have reached End of Technical Support (EoTS) were not evaluated.
The vulnerability can be exploited remotely by any unauthenticated attacker with network access to the affected Virtual Server, requiring low complexity and no user interaction. By sending the undisclosed traffic, an attacker can achieve a denial-of-service condition, halting new client connections and causing excessive memory consumption on the BIG-IP system.
For mitigation details, including affected versions and patches, refer to the F5 security advisory at https://my.f5.com/manage/s/article/K000139778.
Details
- CWE(s)