CVE-2025-24326 Overview
CVE-2025-24326 is a memory resource exhaustion vulnerability affecting F5 BIG-IP Advanced WAF/ASM when the Behavioral DoS (BADoS) TLS Signatures feature is configured. When this feature is enabled, undisclosed traffic patterns can trigger an increase in memory resource utilization, potentially leading to service degradation or denial of service conditions.
This vulnerability is classified as CWE-787 (Out-of-Bounds Write), indicating that the underlying issue involves improper memory handling that can be triggered through network traffic. The network-based attack vector makes this vulnerability particularly concerning for organizations relying on BIG-IP for application security and traffic management.
Critical Impact
Exploitation of this vulnerability can cause significant memory resource consumption on affected BIG-IP systems, potentially leading to service degradation or denial of service for protected applications.
Affected Products
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP Advanced WAF with BADoS TLS Signatures feature enabled
- Multiple versions of BIG-IP (refer to F5 advisory K000140950 for specific version details)
Discovery Timeline
- February 5, 2025 - CVE-2025-24326 published to NVD
- August 8, 2025 - Last updated in NVD database
Technical Details for CVE-2025-24326
Vulnerability Analysis
This vulnerability exists within the Behavioral DoS (BADoS) TLS Signatures feature of F5 BIG-IP Advanced WAF and Application Security Manager. BADoS is designed to automatically detect and mitigate DoS attacks by analyzing traffic patterns and TLS signatures. However, when processing certain types of undisclosed traffic, the feature fails to properly manage memory allocation, resulting in progressive memory exhaustion.
The vulnerability can be exploited remotely over the network without requiring authentication or user interaction. However, exploitation requires specific preconditions to be met—specifically, the BADoS TLS Signatures feature must be actively configured on the target system. This reduces the attack surface to environments where this particular security feature has been enabled.
Root Cause
The root cause is an out-of-bounds write condition (CWE-787) in the memory handling routines associated with TLS signature processing within the BADoS feature. When specific traffic patterns are received, the system fails to properly validate memory boundaries before write operations, leading to memory corruption and resource exhaustion.
The vulnerability occurs in the traffic analysis pipeline where TLS handshake data is processed for behavioral analysis. Improper bounds checking during this process allows attackers to trigger memory allocation patterns that are not properly released, causing cumulative memory consumption.
Attack Vector
The attack is conducted over the network without requiring any form of authentication or privileges. An attacker can send specially crafted traffic to a BIG-IP system with BADoS TLS Signatures enabled. The attack requires some specific conditions to be present (the feature must be configured), but once these conditions are met, exploitation does not require complex techniques.
The attack primarily affects the availability of the system by exhausting memory resources. While the vulnerability does not directly enable data theft or system compromise, the resulting denial of service condition can impact both the BIG-IP device itself and any applications or services it protects.
Organizations using BIG-IP as a critical security control for web applications face the risk of security policy enforcement gaps during an active exploitation attempt.
Detection Methods for CVE-2025-24326
Indicators of Compromise
- Unusual memory consumption patterns on BIG-IP systems with BADoS TLS Signatures enabled
- Gradual increase in memory utilization without corresponding increase in legitimate traffic volume
- System performance degradation or instability affecting protected applications
- BIG-IP system logs indicating memory pressure or out-of-memory conditions
Detection Strategies
- Monitor BIG-IP system memory utilization metrics and establish baselines for normal operation
- Configure alerting thresholds for memory consumption that deviate significantly from baseline
- Analyze TLS traffic patterns for anomalies that may indicate exploitation attempts
- Review BIG-IP system logs for memory-related warnings or errors correlated with BADoS feature activity
Monitoring Recommendations
- Implement continuous memory utilization monitoring on all BIG-IP devices with BADoS enabled
- Deploy network traffic analysis to identify unusual patterns targeting BIG-IP management and data plane interfaces
- Correlate memory consumption spikes with traffic volume to identify disproportionate resource usage
- Consider implementing SentinelOne Singularity for endpoint and network visibility to detect anomalous behavior patterns
How to Mitigate CVE-2025-24326
Immediate Actions Required
- Review F5 security advisory K000140950 for specific patching guidance and affected version information
- Inventory all BIG-IP systems with BADoS TLS Signatures feature enabled
- Apply vendor-provided patches as soon as they become available for your specific BIG-IP version
- Consider temporarily disabling BADoS TLS Signatures feature on critical systems until patches can be applied
Patch Information
F5 has released information regarding this vulnerability in security advisory K000140950. Organizations should consult this advisory for specific version information, patching guidance, and any additional mitigation recommendations provided by F5.
Note that software versions which have reached End of Technical Support (EoTS) are not evaluated by F5. Organizations running EoTS versions should prioritize upgrading to supported versions to receive security updates.
Workarounds
- Disable the BADoS TLS Signatures feature if it is not required for your security posture
- Implement network-level access controls to limit traffic sources that can reach the BIG-IP system
- Configure resource limits and monitoring to detect and respond to memory exhaustion conditions
- Consider deploying additional load balancing or failover configurations to maintain availability during potential attacks
# Example: Check BADoS configuration status on BIG-IP
# Connect to BIG-IP via SSH and run:
tmsh list asm policy /Common/your_policy_name behavioral-dos
# Review current memory utilization
tmsh show sys memory
# Monitor system resource usage
tmsh show sys performance system
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
