CVE Alert: CVE-2025-54854 - F5 - BIG-IP

CVE-2025-54854

HIGHNo exploitation known

When a BIG-IP APM OAuth access profile (Resource Server or Resource Client) is configured on a virtual server, undisclosed traffic can cause the apmd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3.1 (7.5)

AV NETWORK · AC LOW · PR NONE · UI NONE · S UNCHANGED

Vendor

Product

BIG-IP

Versions

17.5.0 lt 17.5.1.3 | 17.1.0 lt 17.1.3 | 16.1.0 lt 16.1.6.1 | 15.1.0 lt 15.1.10.8

CWE

CWE-125, CWE-125 Out-of-bounds Read

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published

2025-10-15T13:55:53.609Z

Updated

2025-10-16T03:57:06.562Z

References

https://my.f5.com/manage/s/article/K000156602

AI Summary Analysis

Risk verdict

High risk of remote denial-of-service to BIG-IP APM via unauthenticated network traffic; patching should be prioritised.

Why this matters

Exploitation can terminate the apmd process when an OAuth access profile is present on a virtual server, disrupting authentication flows. The impact is availability-focused and could cause outages or degraded access for users and systems relying on APM for SSO or access control, with potential downstream business disruption.

Most likely attack path

Attacker needs network access to the affected BIG-IP device where an APM OAuth access profile is configured on a virtual server. Exploitation is possible without authentication or user interaction, given low attack complexity and no required privileges. Successful attempts can crash the apmd process, leading to service restart or authentication failures; data confidentiality and integrity are not directly impacted, but disruption can enable follow-on outages.

Who is most exposed

organisations with internet-facing BIG-IP appliances exposing APM-enabled auth flows, especially in DMZs or cloud-fronted deployments serving remote or SaaS access.

Detection ideas

apmd process termination or crash events near traffic spikes to APM endpoints
unexpected service restarts or health-check failures for the APM stack
spikes in authentication failures or disrupted OAuth flows
crash dumps or core files linked to APM modules
anomalous network traffic patterns to APM virtual servers

Mitigation and prioritisation

apply vendor-provided patch or upgrade to a supported version with the fix; verify EoTS status before deployment
implement network access controls to limit exposure to trusted networks and IPs; apply strict ACLs to APM virtual servers
consider disabling or restricting OAuth profiles not in use; enable additional logging for APM-related events
ensure rapid reboot/restore procedures and test failover in maintenances windows
treat as high-priority remediation given remote availability impact and absence of user interaction, subject to EPSS/KEV indicators when available

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: big-ip, CVE, cve-2025-54854, f5, OSINT, threatintel