F5 Big-Ip vulnerabilities

CVE-2026-2507 [HIGH] CWE-476 CVE-2026-2507: When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate.  Note When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-22548 [HIGH] CWE-362 CVE-2026-22548: When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed req When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker's control can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-20732 [LOW] CWE-451 CVE-2026-20732: A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacke A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-53521 [CRITICAL] CWE-121 CVE-2025-53521: When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can le When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-46706 [HIGH] CWE-770 CVE-2025-46706: When an iRule containing the HTTP::respond command is configured on a virtual server, undisclosed re When an iRule containing the HTTP::respond command is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-61938 [HIGH] CWE-1284 CVE-2025-61938: When a BIG-IP Advanced WAF or ASM security policy is configured with a URL greater than 1024 charact When a BIG-IP Advanced WAF or ASM security policy is configured with a URL greater than 1024 characters in length for the Data Guard Protection Enforcement setting, either manually or through the automatic Policy Builder, the bd process can terminate repeatedly. Note: Software versions which have reached End of Technical Support (EoTS) are not evalua

CVE-2025-55036 [HIGH] CWE-787 CVE-2025-55036: When BIG-IP SSL Orchestrator explicit forward proxy is configured on a virtual server and the proxy When BIG-IP SSL Orchestrator explicit forward proxy is configured on a virtual server and the proxy connect feature is enabled, undisclosed traffic may cause memory corruption. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-59481 [HIGH] CWE-250 CVE-2025-59481: A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with at least resource administrator role to execute arbitrary system commands with higher privileges. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached

CVE-2025-59478 [HIGH] CWE-824 CVE-2025-59478: When a BIG-IP AFM denial-of-service (DoS) protection profile is configured on a virtual server, undi When a BIG-IP AFM denial-of-service (DoS) protection profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-61974 [HIGH] CWE-401 CVE-2025-61974: When a client SSL profile is configured on a virtual server, undisclosed requests can cause an incre When a client SSL profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-61960 [HIGH] CWE-476 CVE-2025-61960: When a per-request policy is configured on a BIG-IP APM portal access virtual server, undisclosed tr When a per-request policy is configured on a BIG-IP APM portal access virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-54854 [HIGH] CWE-125 CVE-2025-54854: When a BIG-IP APM OAuth access profile (Resource Server or Resource Client) is configured on a virtu When a BIG-IP APM OAuth access profile (Resource Server or Resource Client) is configured on a virtual server, undisclosed traffic can cause the apmd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-61990 [HIGH] CWE-415 CVE-2025-61990: When using a multi-bladed platform with more than one blade, undisclosed traffic can cause the Traff When using a multi-bladed platform with more than one blade, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-48008 [HIGH] CWE-416 CVE-2025-48008: When a TCP profile with Multipath TCP (MPTCP) enabled is configured on a virtual server, undisclosed When a TCP profile with Multipath TCP (MPTCP) enabled is configured on a virtual server, undisclosed traffic along with conditions beyond the attacker's control can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-59781 [HIGH] CWE-459 CVE-2025-59781: When DNS cache is configured on a BIG-IP or BIG-IP Next CNF virtual server, undisclosed DNS queries When DNS cache is configured on a BIG-IP or BIG-IP Next CNF virtual server, undisclosed DNS queries can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-53868 [HIGH] CWE-78 CVE-2025-53868: When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SF When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance mode restrictions using undisclosed commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-59483 [HIGH] CWE-73 CVE-2025-59483: A validation vulnerability exists in an undisclosed URL in the Configuration utility.  Note: Softwar A validation vulnerability exists in an undisclosed URL in the Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-41430 [HIGH] CWE-770 CVE-2025-41430: When BIG-IP SSL Orchestrator is enabled, undisclosed traffic can cause the Traffic Management Microk When BIG-IP SSL Orchestrator is enabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-53474 [HIGH] CWE-120 CVE-2025-53474: When an iRule using an ILX::call command is configured on a virtual server, undisclosed traffic can When an iRule using an ILX::call command is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-47148 [HIGH] CWE-404 CVE-2025-47148: When the BIG-IP system is configured as both a Security Assertion Markup Language (SAML) service pro When the BIG-IP system is configured as both a Security Assertion Markup Language (SAML) service provider (SP) and Identity Provider (IdP), with single logout (SLO) enabled on an access policy, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not e