F5 Big-Ip Next Spk vulnerabilities

CVE-2025-46706 [HIGH] CWE-770 CVE-2025-46706: When an iRule containing the HTTP::respond command is configured on a virtual server, undisclosed re When an iRule containing the HTTP::respond command is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-55670 [HIGH] CWE-770 CVE-2025-55670: On BIG-IP Next CNF, BIG-IP Next SPK, and BIG-IP Next for Kubernetes systems, repeated undisclosed AP On BIG-IP Next CNF, BIG-IP Next SPK, and BIG-IP Next for Kubernetes systems, repeated undisclosed API calls can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-61974 [HIGH] CWE-401 CVE-2025-61974: When a client SSL profile is configured on a virtual server, undisclosed requests can cause an incre When a client SSL profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-61990 [HIGH] CWE-415 CVE-2025-61990: When using a multi-bladed platform with more than one blade, undisclosed traffic can cause the Traff When using a multi-bladed platform with more than one blade, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-48008 [HIGH] CWE-416 CVE-2025-48008: When a TCP profile with Multipath TCP (MPTCP) enabled is configured on a virtual server, undisclosed When a TCP profile with Multipath TCP (MPTCP) enabled is configured on a virtual server, undisclosed traffic along with conditions beyond the attacker's control can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-58120 [HIGH] CWE-476 CVE-2025-58120: When HTTP/2 Ingress is configured, undisclosed traffic can cause the Traffic Management Microkernel When HTTP/2 Ingress is configured, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-60016 [HIGH] CWE-119 CVE-2025-60016: When Diffie-Hellman (DH) group Elliptic Curve Cryptography (ECC) Brainpool curves are configured in When Diffie-Hellman (DH) group Elliptic Curve Cryptography (ECC) Brainpool curves are configured in an SSL profile's Cipher Rule or Cipher Group, and that profile is applied to a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS)

CVE-2025-54805 [MEDIUM] CWE-401 CVE-2025-54805: When an iRule is configured on a virtual server via the declarative API, upon re-instantiation, the When an iRule is configured on a virtual server via the declarative API, upon re-instantiation, the cleanup process can cause an increase in the Traffic Management Microkernel (TMM) memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-54500 [MEDIUM] CWE-770 CVE-2025-54500: An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control fr An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-36504 [HIGH] CWE-770 CVE-2025-36504: When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-41399 [HIGH] CWE-404 CVE-2025-41399: When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisc When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-41414 [HIGH] CWE-476 CVE-2025-41414: When HTTP/2 client and server profile is configured on a virtual server, undisclosed requests can ca When HTTP/2 client and server profile is configured on a virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2025-36557 [HIGH] CWE-120 CVE-2025-36557: When an HTTP profile with the Enforce RFC Compliance option is configured on a virtual server, undis When an HTTP profile with the Enforce RFC Compliance option is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2025-22846 [HIGH] CWE-404 CVE-2025-22846: When SIP Session and Router ALG profiles are configured on a Message Routing type virtual server, un When SIP Session and Router ALG profiles are configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2024-41164 [HIGH] CWE-476 CVE-2024-41164: When TCP profile with Multipath TCP enabled (MPTCP) is configured on a Virtual Server, undisclosed t When TCP profile with Multipath TCP enabled (MPTCP) is configured on a Virtual Server, undisclosed traffic along with conditions beyond the attackers control can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2024-23306 [HIGH] CWE-522 CVE-2024-23306: A vulnerability exists in BIG-IP Next CNF and SPK systems that may allow access to undisclosed sensi A vulnerability exists in BIG-IP Next CNF and SPK systems that may allow access to undisclosed sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2024-23314 [HIGH] CWE-908 CVE-2024-23314: When HTTP/2 is configured on BIG-IP or BIG-IP Next SPK systems, undisclosed responses can cause the When HTTP/2 is configured on BIG-IP or BIG-IP Next SPK systems, undisclosed responses can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2023-45226 [HIGH] CWE-798 CVE-2023-45226: The BIG-IP SPK TMM (Traffic Management Module) f5-debug-sidecar and f5-debug-sshd containers contai The BIG-IP SPK TMM (Traffic Management Module) f5-debug-sidecar and f5-debug-sshd containers contains hardcoded credentials that may allow an attacker with the ability to intercept traffic to impersonate the SPK Secure Shell (SSH) server on those containers. This is only exposed when ssh debug is enabled. Note: Software versions which have reached End

CVE-2023-40534 [HIGH] CWE-401 CVE-2023-40534: When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, a When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.