CVE-2025-21087 Overview
CVE-2025-21087 is a resource exhaustion vulnerability affecting F5 BIG-IP products when Client or Server SSL profiles are configured on a Virtual Server, or when DNSSEC signing operations are in use. When exploited, specially crafted undisclosed traffic can cause an increase in memory and CPU resource utilization, potentially leading to a denial of service condition.
This vulnerability poses a significant risk to organizations relying on F5 BIG-IP infrastructure for application delivery, load balancing, and security services. The network-accessible attack vector combined with no required authentication makes this vulnerability particularly concerning for internet-facing deployments.
Critical Impact
Undisclosed network traffic can exhaust memory and CPU resources on F5 BIG-IP devices configured with SSL profiles or DNSSEC signing, potentially causing service disruption for critical business applications.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Advanced Web Application Firewall (AWAF)
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP Domain Name System (DNS)
- F5 BIG-IP Global Traffic Manager (GTM)
- F5 BIG-IP Policy Enforcement Manager (PEM)
- F5 BIG-IP Analytics
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Carrier-Grade NAT (CGNAT)
- F5 BIG-IP Link Controller
- F5 BIG-IP WebAccelerator
- F5 BIG-IP Application Visibility and Reporting (AVR)
- F5 BIG-IP Edge Gateway
- F5 BIG-IP Fraud Protection Service
- F5 BIG-IP Container Ingress Services
- F5 BIG-IP Automation Toolchain
- F5 BIG-IP Application Acceleration Manager
- F5 BIG-IP WebSafe
Discovery Timeline
- February 5, 2025 - CVE-2025-21087 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21087
Vulnerability Analysis
CVE-2025-21087 is classified as a Resource Exhaustion vulnerability (CWE-400: Uncontrolled Resource Consumption). The vulnerability affects the SSL/TLS processing and DNSSEC signing components within F5 BIG-IP devices.
When a Virtual Server is configured with Client SSL or Server SSL profiles, or when DNSSEC signing operations are enabled on BIG-IP DNS, the system becomes susceptible to resource exhaustion attacks. An attacker can send specially crafted network traffic that triggers excessive memory allocation and CPU processing within the affected components. This can degrade system performance or cause complete service unavailability.
The vulnerability is exploitable remotely without authentication, though certain preconditions must be met—specifically, the target must have SSL profiles configured on Virtual Servers or DNSSEC signing enabled. F5 notes that software versions which have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.
Root Cause
The root cause of this vulnerability lies in improper resource management within the SSL/TLS processing and DNSSEC signing subsystems of F5 BIG-IP. When processing certain types of network traffic, the affected components fail to properly limit resource consumption, allowing an attacker to trigger unbounded memory allocation and CPU utilization. This represents a classic uncontrolled resource consumption flaw where input validation or resource throttling mechanisms are insufficient to prevent abuse.
Attack Vector
The attack vector for CVE-2025-21087 is network-based, requiring no authentication or user interaction. An attacker with network access to an affected BIG-IP Virtual Server can exploit this vulnerability by sending specially crafted traffic to the device. The attack exploits the SSL processing pathway or DNSSEC operations to cause resource exhaustion.
The vulnerability requires the following preconditions:
- A Virtual Server configured with Client SSL or Server SSL profiles, OR
- DNSSEC signing operations enabled on BIG-IP DNS
Since the specific traffic patterns that trigger this vulnerability are described as "undisclosed" by F5, the exact exploitation method is not publicly documented. This is a common practice to provide organizations time to patch before detailed exploitation techniques become widely known. Organizations should consult the F5 Security Article K000134888 for specific mitigation guidance.
Detection Methods for CVE-2025-21087
Indicators of Compromise
- Unusual spikes in memory utilization on BIG-IP devices without corresponding legitimate traffic increases
- Elevated CPU usage on BIG-IP systems, particularly in SSL processing or DNSSEC-related processes
- Degraded performance or increased latency for applications served through affected Virtual Servers
- BIG-IP system logs indicating resource pressure or out-of-memory conditions
- TMM (Traffic Management Microkernel) core dumps or restarts
Detection Strategies
- Monitor BIG-IP system statistics via SNMP, iControl REST API, or the BIG-IP management console for abnormal resource consumption patterns
- Implement network traffic analysis to identify anomalous SSL/TLS connection patterns to Virtual Servers
- Configure alerts for memory utilization exceeding baseline thresholds on BIG-IP devices
- Review BIG-IP logs (/var/log/ltm) for indicators of SSL processing errors or resource exhaustion warnings
Monitoring Recommendations
- Establish baseline metrics for CPU and memory utilization on all BIG-IP devices during normal operation
- Deploy SentinelOne Singularity XDR for endpoint visibility and correlation of network anomalies with potential exploitation attempts
- Enable BIG-IP high availability (HA) monitoring to detect failover events triggered by resource exhaustion
- Implement continuous monitoring of Virtual Server performance metrics and SSL handshake rates
How to Mitigate CVE-2025-21087
Immediate Actions Required
- Review F5 Security Advisory K000134888 for complete vulnerability details and affected version information
- Inventory all BIG-IP devices in your environment running Client/Server SSL profiles or DNSSEC signing
- Prioritize patching of internet-facing BIG-IP devices with SSL profiles configured
- Implement network-level rate limiting and traffic filtering where possible to reduce attack surface
- Ensure BIG-IP high availability configurations are properly functioning to minimize impact of potential resource exhaustion
Patch Information
F5 has released security patches to address CVE-2025-21087. Organizations should apply the appropriate hotfix or upgrade to a fixed version as specified in F5 Security Article K000134888. Review the advisory for specific fixed versions applicable to your BIG-IP deployment.
When planning patch deployment:
- Download the appropriate update from F5 Downloads
- Review release notes for any breaking changes or dependencies
- Test the update in a non-production environment
- Schedule maintenance windows for production updates
- Verify system functionality after patching
Workarounds
- If patching is not immediately possible, consider restricting network access to affected Virtual Servers using firewall rules or BIG-IP AFM policies
- Implement connection rate limiting on Virtual Servers to reduce the potential impact of resource exhaustion attacks
- Disable unnecessary SSL profiles on Virtual Servers that do not require SSL/TLS termination
- For DNSSEC-affected deployments, evaluate whether DNSSEC signing can be temporarily disabled or moved to non-vulnerable infrastructure
- Monitor resource utilization closely and implement automated alerts for rapid incident response
# Example: Check BIG-IP SSL profile configuration via tmsh
tmsh list ltm virtual all | grep -A5 "profiles"
# Example: Monitor TMM memory utilization
tmsh show sys tmm-info | grep -E "(memory|cpu)"
# Example: Review connection table for anomalies
tmsh show sys connection count
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
