Memory Resource Utilization Issue in BIG-IP by F5 Networks
CVE-2025-21091

8.7HIGH

Key Information:

Vendor
F5
Status
Big-ip
Vendor
CVE Published:
5 February 2025

What is CVE-2025-21091?

CVE-2025-21091 is a vulnerability affecting the BIG-IP product developed by F5 Networks, a system designed for application delivery, load balancing, and traffic management. This vulnerability arises when SNMP (Simple Network Management Protocol) versions 1 or 2c are disabled, leading to potential unregulated requests that can significantly increase memory resource utilization. Such a memory resource utilization issue could compromise the performance and reliability of the system, thereby negatively impacting organizational operations by risking application availability and disruption in service delivery.

Technical Details

The vulnerability is linked specifically to memory management within the BIG-IP platform when certain SNMP configurations are set. If SNMP v1 or v2c is turned off, there is potential exposure to undisclosed requests that can lead to excessive memory consumption. This behavior may not be clearly visible or immediately flagged, making it a hidden risk for administrators who rely on consistent system performance. The issue has yet to be seen exploited in the wild, but its presence in a widely utilized application makes it a point of concern for system administrators.

Potential impact of CVE-2025-21091

  1. System Performance Degradation: A significant increase in memory resource utilization can lead to slow response times, service latency, and even system crashes, severely hindering business operations that depend on real-time application performance.

  2. Increased Operational Costs: Agencies may incur unplanned costs for system resources, as the need for additional hardware or software to accommodate the increased load may arise, straining budgets and resource allocation.

  3. Potential for Service Disruption: With applications potentially becoming unresponsive due to memory strain, there is an increased risk of service outages, which could affect customer experience and damage organizational reputation.

Affected Version(s)

BIG-IP 17.1.0 < 17.1.2

BIG-IP 16.1.0

BIG-IP 15.1.0

References

https://my.f5.com/manage/s/article/K000140933
vendor-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

F5
.