CVE-2025-21087 Overview
CVE-2025-21087 is a resource exhaustion vulnerability [CWE-400] affecting F5 BIG-IP products. When Client or Server SSL profiles are configured on a Virtual Server, or when DNSSEC signing operations are in use, undisclosed network traffic can cause increased memory and CPU resource utilization. The vulnerability is network-exploitable without authentication and can render affected services unresponsive. F5 published this issue on February 5, 2025, with the latest update on October 21, 2025. Software versions that have reached End of Technical Support (EoTS) are not evaluated by F5.
Critical Impact
Unauthenticated remote attackers can trigger sustained CPU and memory exhaustion on BIG-IP virtual servers using SSL profiles or DNSSEC, leading to denial of service on critical traffic management infrastructure.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM), Access Policy Manager (APM), and Advanced WAF
- F5 BIG-IP Domain Name System (DNS), Global Traffic Manager (GTM), and SSL Orchestrator
- F5 BIG-IP Advanced Firewall Manager (AFM), DDoS Hybrid Defender, and Policy Enforcement Manager (PEM)
Discovery Timeline
- 2025-02-05 - CVE-2025-21087 published to NVD
- 2025-10-21 - Last updated in NVD database
Technical Details for CVE-2025-21087
Vulnerability Analysis
The vulnerability resides in how BIG-IP processes specific network traffic when SSL profile or DNSSEC signing functionality is active. Attackers can send undisclosed traffic patterns to a Virtual Server configured with a Client SSL or Server SSL profile. The same impact occurs on systems performing DNSSEC signing operations through BIG-IP DNS or Global Traffic Manager.
Processing this traffic causes a sustained spike in CPU consumption and memory allocation. Because BIG-IP commonly serves as a front-line proxy and traffic manager, exhaustion of its data plane resources degrades availability for every backend service routed through it. The attack requires no credentials, no user interaction, and traverses the network attack surface directly.
Root Cause
F5 has not publicly disclosed the specific traffic pattern or parsing flaw to limit weaponization. The condition is classified under CWE-400 (Uncontrolled Resource Consumption), indicating that input handling within the SSL or DNSSEC code paths fails to enforce proper bounds on resource allocation. Repeated or malformed protocol interactions amplify resource use beyond what legitimate traffic produces.
Attack Vector
Exploitation is remote and unauthenticated. An attacker only needs network reachability to a Virtual Server that has a Client SSL profile, Server SSL profile, or DNSSEC signing enabled. Configurations without these features are not affected. F5 has not published proof-of-concept code, and no public exploit is currently available. The EPSS score is approximately 0.417%, reflecting low observed exploitation activity to date.
For full technical context, see the F5 Knowledge Base Article K000134888.
Detection Methods for CVE-2025-21087
Indicators of Compromise
- Sustained high CPU utilization on Traffic Management Microkernel (TMM) processes without proportional legitimate traffic volume
- Memory consumption growth on the BIG-IP data plane that does not free after connections close
- Unresponsive Virtual Servers with SSL profiles attached or BIG-IP DNS instances performing DNSSEC signing
- Spikes in TLS handshake or DNS query rates from a narrow set of source IPs
Detection Strategies
- Monitor tmsh show sys performance and tmsh show sys cpu output for abnormal TMM resource usage trends
- Correlate SSL handshake failure rates and DNSSEC signing latency against historical baselines
- Forward BIG-IP ltm and dns logs to a centralized analytics platform for anomaly identification
Monitoring Recommendations
- Enable SNMP polling of CPU and memory counters on all BIG-IP appliances with alerting thresholds tuned below saturation
- Track per-Virtual-Server connection rate and concurrent connection counts to detect targeted floods
- Capture netflow or packet samples on upstream devices to identify traffic sources that precede resource exhaustion events
How to Mitigate CVE-2025-21087
Immediate Actions Required
- Identify all BIG-IP Virtual Servers with Client or Server SSL profiles attached and all BIG-IP DNS instances performing DNSSEC signing
- Apply the fixed software versions listed in F5 Knowledge Base Article K000134888 as soon as maintenance windows permit
- Restrict management plane access and place rate limits in front of exposed Virtual Servers using SSL or DNSSEC
Patch Information
F5 has released fixed software versions for supported BIG-IP branches. Refer to the vendor advisory at F5 K000134888 for the specific fixed versions mapped to each affected product family. Versions that have reached End of Technical Support are not evaluated and should be upgraded to a supported branch.
Workarounds
- Where patching is delayed, remove Client and Server SSL profiles from Virtual Servers that do not require them
- Disable DNSSEC signing operations on BIG-IP DNS instances if the feature is not actively used
- Apply upstream rate limiting and connection throttling using an iRule or AFM policy to constrain traffic to vulnerable Virtual Servers
# Configuration example: list Virtual Servers with SSL profiles attached
tmsh list ltm virtual one-line | grep -E "clientssl|serverssl"
# Example AFM rate-limit configuration applied to a Virtual Server
tmsh create security firewall rule-list rl-ssl-protect rules add { limit-ssl { \
action drop \
rate-limit 1000 \
ip-protocol tcp \
destination { ports add { 443 } } } }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
