CVE-2025-24312 Overview
CVE-2025-24312 is a resource exhaustion vulnerability affecting F5 BIG-IP Advanced Firewall Manager (AFM) when the IPS module is enabled and a protocol inspection profile is configured on a virtual server, firewall rule, or policy. Specially crafted undisclosed traffic can trigger excessive CPU resource utilization, potentially leading to a denial of service condition that degrades the performance or availability of protected services.
Critical Impact
Attackers can remotely cause significant CPU resource exhaustion on affected BIG-IP AFM deployments, potentially disrupting firewall protection and availability of critical network services without requiring authentication.
Affected Products
- F5 BIG-IP Advanced Firewall Manager
- F5 BIG-IP Next Cloud-Native Network Functions
Discovery Timeline
- February 5, 2025 - CVE-2025-24312 published to NVD
- November 12, 2025 - Last updated in NVD database
Technical Details for CVE-2025-24312
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw exists in the protocol inspection functionality of the BIG-IP AFM IPS module. When processing certain types of network traffic, the system fails to properly limit resource consumption, allowing an attacker to trigger excessive CPU utilization through specifically crafted packets.
The vulnerability can be exploited remotely over the network without requiring any authentication or user interaction. An attacker can send malicious traffic to a virtual server, firewall rule, or policy that has protocol inspection enabled, causing the affected system to consume abnormal amounts of CPU resources.
Root Cause
The underlying issue stems from improper resource allocation controls within the protocol inspection engine. When the IPS module processes certain undisclosed traffic patterns, it enters a state where CPU cycles are consumed without appropriate throttling or bounds checking. This represents a classic resource exhaustion vulnerability where the system fails to implement proper limits on computational resources allocated to processing individual requests or traffic streams.
Attack Vector
The attack can be initiated remotely over the network by sending specially crafted traffic to any virtual server, firewall rule, or policy that has a protocol inspection profile configured. The attack requires no authentication or privileges, making it accessible to any network-level attacker who can reach the affected BIG-IP AFM system.
The vulnerability specifically targets the protocol inspection functionality, meaning only deployments with IPS module enabled and protocol inspection profiles actively configured are vulnerable. Traffic processing occurs at the network layer, allowing attackers to potentially launch attacks from anywhere on the network that can route packets to the affected system.
Detection Methods for CVE-2025-24312
Indicators of Compromise
- Unusual or sustained high CPU utilization on BIG-IP AFM systems with IPS module enabled
- Performance degradation or increased latency on virtual servers with protocol inspection profiles
- Unexpected spikes in protocol inspection processing metrics
- System alerts related to CPU exhaustion or resource constraints
Detection Strategies
- Monitor CPU utilization metrics on BIG-IP AFM systems, establishing baselines and alerting on anomalous increases
- Implement network traffic analysis to identify unusual traffic patterns targeting virtual servers with protocol inspection
- Review BIG-IP system logs for performance warnings or resource exhaustion indicators
- Deploy SentinelOne Singularity to monitor for behavioral anomalies indicating DoS attack patterns
Monitoring Recommendations
- Configure SNMP or API-based monitoring for real-time CPU utilization tracking on affected devices
- Establish threshold-based alerts for CPU usage exceeding normal operational parameters
- Implement traffic flow analysis at network boundaries to detect potential attack traffic before it reaches vulnerable systems
How to Mitigate CVE-2025-24312
Immediate Actions Required
- Review all BIG-IP AFM deployments to identify systems with IPS module enabled and protocol inspection profiles configured
- Consult the F5 Security Article K000141380 for specific remediation guidance
- Prioritize patching for internet-facing or externally accessible BIG-IP AFM systems
- Implement network-level access controls to limit traffic sources that can reach vulnerable virtual servers
Patch Information
F5 has released security updates to address this vulnerability. Administrators should consult the official F5 Security Article K000141380 for detailed patch information, affected version matrices, and upgrade instructions. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable.
Workarounds
- If patching is not immediately possible, consider temporarily disabling protocol inspection profiles on affected virtual servers where the security impact is acceptable
- Implement rate limiting or traffic shaping at network boundaries to reduce the volume of traffic reaching vulnerable systems
- Deploy additional network-based intrusion prevention systems upstream to filter potentially malicious traffic
- Restrict network access to BIG-IP AFM management and data planes to trusted sources only
# Example: Review protocol inspection profile configuration
# Check if IPS module is provisioned on your BIG-IP system
tmsh list sys provision afm
# List virtual servers with protocol inspection profiles
tmsh list ltm virtual all | grep -A5 "protocol-inspection"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
