CVE-2025-21091 Overview
CVE-2025-21091 is a memory leak vulnerability (CWE-401) affecting F5 BIG-IP devices when SNMP v1 or v2c protocols are disabled. When this condition exists, specially crafted undisclosed requests can trigger an increase in memory resource utilization, potentially leading to denial of service conditions. This vulnerability is particularly concerning given that F5 BIG-IP devices are typically deployed as critical infrastructure components handling load balancing, application delivery, and security functions.
Critical Impact
Attackers can exploit this vulnerability remotely without authentication to cause memory exhaustion on F5 BIG-IP devices, potentially disrupting critical network infrastructure and application delivery services.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Global Traffic Manager (GTM)
- F5 BIG-IP Domain Name System (DNS)
- F5 BIG-IP Policy Enforcement Manager (PEM)
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP Analytics
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Carrier-Grade NAT
- F5 BIG-IP Link Controller
- F5 BIG-IP WebAccelerator
- F5 BIG-IP Application Visibility and Reporting
- F5 BIG-IP Edge Gateway
- F5 BIG-IP WebSafe
- F5 BIG-IP Fraud Protection Service
- F5 BIG-IP Automation Toolchain
- F5 BIG-IP Container Ingress Services
- F5 BIG-IP Application Acceleration Manager
Discovery Timeline
- February 5, 2025 - CVE-2025-21091 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21091
Vulnerability Analysis
This vulnerability stems from improper memory management within the SNMP processing subsystem of F5 BIG-IP devices. When SNMP v1 or v2c protocols are administratively disabled, the system fails to properly release memory allocated for processing certain types of incoming requests. This constitutes a classic memory leak condition (CWE-401: Missing Release of Memory after Effective Lifetime) where memory is allocated but never freed, causing progressive memory consumption over time.
The vulnerability is exploitable over the network without requiring authentication, making it accessible to remote attackers who can send requests to the BIG-IP management interface. As memory resources become exhausted, the device's performance degrades, potentially impacting all services hosted on the affected platform including load balancing, SSL termination, and application firewall functions.
Root Cause
The root cause is a failure to properly deallocate memory buffers in the SNMP daemon when processing requests under the specific condition where SNMP v1 or v2c protocols have been disabled. The code path for handling these requests appears to allocate memory resources but lacks corresponding cleanup routines when the protocol versions are in a disabled state, leading to memory that is allocated but never freed during normal operation.
Attack Vector
The attack can be executed remotely over the network. An attacker would send specially crafted requests to the target BIG-IP device. Since the vulnerability requires no authentication or user interaction, an attacker only needs network access to the management interface or data plane ports where SNMP traffic is processed. Repeated requests would cause gradual memory consumption until system resources are exhausted, resulting in denial of service. The attack does not require prior knowledge of the target system configuration beyond confirming that SNMP v1/v2c is disabled.
Detection Methods for CVE-2025-21091
Indicators of Compromise
- Unusual increase in memory utilization on BIG-IP devices, particularly in SNMP-related processes
- System logs indicating memory pressure or out-of-memory conditions without corresponding legitimate workload increases
- Unexpected SNMP-related traffic patterns or requests from untrusted sources
- Performance degradation of BIG-IP services including increased latency or connection timeouts
Detection Strategies
- Monitor BIG-IP memory utilization metrics and set alerting thresholds for abnormal consumption patterns
- Implement network traffic analysis to detect unusual SNMP traffic volumes or patterns targeting BIG-IP management interfaces
- Review BIG-IP system logs regularly for memory-related warnings or errors in the snmpd process
- Deploy SentinelOne Singularity for endpoint detection and response capabilities on systems interacting with BIG-IP infrastructure
Monitoring Recommendations
- Configure SNMP polling of BIG-IP memory statistics from a trusted monitoring system
- Set up automated alerts for memory utilization exceeding baseline thresholds
- Monitor network flows to BIG-IP management interfaces for anomalous traffic patterns
- Implement centralized log collection and analysis for BIG-IP syslog messages
How to Mitigate CVE-2025-21091
Immediate Actions Required
- Review your BIG-IP SNMP configuration to determine if v1 or v2c are disabled, identifying systems at risk
- Apply vendor patches as soon as they become available from F5
- Restrict network access to BIG-IP management interfaces using firewall rules or access control lists
- Monitor affected systems for signs of memory exhaustion while waiting for patching
- Consider enabling SNMP v1 or v2c temporarily as a workaround if security policies permit and network isolation is in place
Patch Information
F5 has published a security advisory addressing this vulnerability. Organizations should consult the F5 Knowledge Center Article K000140933 for specific patch versions and update instructions for their BIG-IP deployment. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability, so organizations running legacy versions should consider upgrading to supported releases.
Workarounds
- Restrict access to BIG-IP management interfaces to trusted networks only using firewall rules or BIG-IP self IP port lockdown features
- If operationally feasible and security policies permit, temporarily enable SNMP v1 or v2c with strong community strings while implementing network access restrictions
- Implement network segmentation to isolate BIG-IP management traffic from untrusted networks
- Schedule regular device reboots during maintenance windows to clear accumulated memory if patching is delayed
# Example: Restrict SNMP access to trusted management subnet only
# Configure on BIG-IP using tmsh
tmsh modify sys snmp allowed-addresses add { 10.0.0.0/24 }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
