Cyber Resilience

CVE-2025-53856

High

Published: 15 October 2025

Published
15 October 2025
Modified
21 October 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 11.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53856 is a high-severity Incorrect Control Flow Scoping (CWE-705) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.7 (High).

Operationally, ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

When a virtual server, network address translation (NAT) object, or secure network address translation (SNAT) object uses the embedded Packet Velocity Acceleration (ePVA) feature, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. To determine which BIG-IP platforms…

more

have an ePVA chip refer to K12837: Overview of the ePVA feature https://my.f5.com/manage/s/article/K12837 . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

f5
big-ip access policy manager
15.1.0 — 15.1.10.8 · 16.1.0 — 16.1.6.1 · 17.1.0 — 17.1.3
f5
big-ip advanced firewall manager
15.1.0 — 15.1.10.8 · 16.1.0 — 16.1.6.1 · 17.1.0 — 17.1.3
f5
big-ip advanced web application firewall
15.1.0 — 15.1.10.8 · 16.1.0 — 16.1.6.1 · 17.1.0 — 17.1.3
f5
big-ip analytics
15.1.0 — 15.1.10.8 · 16.1.0 — 16.1.6.1 · 17.1.0 — 17.1.3
f5
big-ip application acceleration manager
15.1.0 — 15.1.10.8 · 16.1.0 — 16.1.6.1 · 17.1.0 — 17.1.3
f5
big-ip application security manager
15.1.0 — 15.1.10.8 · 16.1.0 — 16.1.6.1 · 17.1.0 — 17.1.3
f5
big-ip application visibility and reporting
15.1.0 — 15.1.10.8 · 16.1.0 — 16.1.6.1 · 17.1.0 — 17.1.3
f5
big-ip automation toolchain
15.1.0 — 15.1.10.8 · 16.1.0 — 16.1.6.1 · 17.1.0 — 17.1.3
f5
big-ip carrier-grade nat
15.1.0 — 15.1.10.8 · 16.1.0 — 16.1.6.1 · 17.1.0 — 17.1.3
f5
big-ip container ingress services
15.1.0 — 15.1.10.8 · 16.1.0 — 16.1.6.1 · 17.1.0 — 17.1.3
+11 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References