CVE Alert: CVE-2025-54858 - F5 - BIG-IP

CVE-2025-54858

HIGHNo exploitation known

When a BIG-IP Advanced WAF or BIG-IP ASM Security Policy is configured with a JSON content profile that has a malformed JSON schema, and the security policy is applied to a virtual server, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3.1 (7.5)

AV NETWORK · AC LOW · PR NONE · UI NONE · S UNCHANGED

Vendor

Product

BIG-IP

Versions

17.5.0 lt 17.5.1.3 | 17.1.0 lt 17.1.3 | 16.1.0 lt 16.1.6.1 | 15.1.0 lt 15.1.10.8

CWE

CWE-674, CWE-674 Uncontrolled Recursion

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published

2025-10-15T13:55:51.946Z

Updated

2025-10-16T03:56:55.858Z

References

https://my.f5.com/manage/s/article/K000156621

AI Summary Analysis

Risk verdict

High risk to availability for affected BIG-IP deployments, with remote, unauthenticated triggers potentially terminating the bd process when applying a malformed JSON content profile; no active exploitation indicators are currently reported.

Why this matters

Denial of service to ASMs/Advanced WAF protections can degrade key security controls and disrupt service availability for internet-facing applications. Attackers could leverage this to force outages or degrade policy enforcement, impacting SLAs and user experience in high-traffic environments.

Most likely attack path

Remote attacker sends crafted JSON content profiles over the network to a vulnerable BIG-IP instance; the malicious profile must be applied to a virtual server as part of a security policy. No privileges or user interaction required, increasing exploitation practicality, and the impact is containment within the affected BIG-IP service scope.

Who is most exposed

organisations running ASM/Advanced WAF in internet-facing or DMZ deployments on versions still under consideration for support are at risk; those with older 15.x–17.x lines or with EoTS versions are more vulnerable due to patching gaps.

Detection ideas

bd process crash events or service restarts in system logs
spike in 5xx errors on affected virtual servers
crash dumps/core files linked to BIG-IP components
policy-application errors referenced in WAF/ASM logs
anomalous failed policy applications following JSON profile changes

Mitigation and prioritisation

Apply vendor patch or upgrade to a supported release per the advisory; verify patch scope for affected modules (ASM, Advanced WAF).
If patching is delayed, enforce strict access controls to management interfaces; restrict policy changes; retire or replace malformed JSON content profiles.
Validate change-management procedures; test in a staging environment before rolling out to production.
Enhance monitoring: enable detailed WAF/ASM logs, watch for related crash indicators, and alert on policy-apply events.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: big-ip, CVE, cve-2025-54858, f5, OSINT, threatintel