CVE Alert: CVE-2025-61938 – F5 – BIG-IP

Risk verdict

High risk to organisations using BIG-IP Advanced WAF/ASM with Data Guard Protection Enforcement enabled; exploitation activity is not confirmed in this feed, but the potential for rapid availability impact warrants prompt attention.

Why this matters

A crafted URL exceeding 1024 characters can crash the bd process, risking WAF/ASM availability and policy enforcement. In practice, this can disrupt protection for web apps and create a window for denial of service or degraded security posture during policy building.

Most likely attack path

Network-based with no privileges required and no user interaction. An external actor sends requests with ultra-long URLs to a BIG-IP ASM/Advanced WAF policy; if Data Guard Protection Enforcement is in use, the bd process can terminate repeatedly, causing service instability and potential collateral impact on policy handling.

Who is most exposed

Deployments where BIG-IP appliances are Internet-facing or placed in DMZs/cloud front ends, especially those relying on automated Policy Builder or Data Guard features to enforce long URL rules.

Detection ideas

• bd process crash/restart events in system logs
• Repeated restarts following policy-building operations
• Logs or alerts for Data Guard Protection Enforcement triggers
• Unusual spikes in WAF/ASM downtime or degraded availability
• Core dumps or crash artifacts in standard fault directories

Mitigation and prioritisation

• Apply vendor patch/update to supported non-affected versions; verify release notes for fixes addressing long-URL handling.
• If patching is delayed, disable or constrain Data Guard Protection Enforcement for overly long URLs and enforce server-side URL length validation at the edge.
• Implement proactive monitoring for bd process stability and policy-builder activity; ensure rapid rollback plans.
• Schedule change-control and test in staging before production rollout; verify EoTS status and supportability.