CVE Alert: CVE-2025-59781 – F5 – BIG-IP

Risk verdict

High risk of denial-of-service via memory exhaustion from DNS cache queries on the affected appliance family when DNS caching is enabled; no active exploitation data is provided, but remote, unauthenticated access is possible.

Why this matters

Memory exhaustion can render critical DNS services unavailable, impacting uptime for dependent applications and customers. The impact can cascade to downstream services, user authentication, and transactional workloads, increasing the potential for SLA breaches and revenue disruption.

Most likely attack path

An attacker can trigger the issue by sending network-originated DNS queries to a VIP with DNS caching enabled; no privileges or user interaction are required and complexity is low. The effect is resource exhaustion rather than data compromise, with potential for rapid service degradation and limited scope to the targeted DNS cache component.

Who is most exposed

Organisations deploying DNS caching on edge virtual servers or CNFs, especially in public cloud or multi-tenant environments, are most at risk. Deployments with high DNS query volumes or exposure to untrusted networks are particularly vulnerable.

Detection ideas

• Monitor DNS cache process memory usage for sharp, sustained increases.
• Alerts on abnormal DNS query volumes correlating with memory growth.
• Anomalous VIP-level resource saturation without related workload increases.
• System logs indicating DNS cache pressure or restarts.
• Cross-check memory trends against baseline and recent configuration changes.

Mitigation and prioritisation

• Apply the vendor patch or upgrade to non-affected releases; validate in staging before production.
• If patching is not feasible, disable DNS caching on affected Virtual Servers or tighten cache limits.
• Implement DNS query rate limiting and bounded memory allocations for the DNS cache component.
• Prepare change-management notes and rollback procedures; test thoroughly.
• Data on KEV presence or EPSS score is not provided; treat as priority 2 unless EPSS ≥ 0.5 or KEV evidence becomes available, in which case escalate to priority 1.