CVE-2025-54854: F5 BIG-IP APM DoS Vulnerability

CVE-2025-54854 Overview

CVE-2025-54854 is a denial of service vulnerability affecting F5 BIG-IP Access Policy Manager (APM) when an OAuth access profile is configured on a virtual server. When a BIG-IP APM OAuth access profile (Resource Server or Resource Client) is configured on a virtual server, specially crafted network traffic can cause the apmd process to terminate unexpectedly. This vulnerability is classified as an Out-of-Bounds Read (CWE-125), which can lead to service disruption and impact the availability of authentication and access control services.

Critical Impact

Unauthenticated remote attackers can cause the APM daemon (apmd) to crash, resulting in denial of service for OAuth-based authentication and access control functionality on affected BIG-IP systems.

Affected Products

• F5 BIG-IP Access Policy Manager (multiple versions)
• BIG-IP APM with OAuth access profiles configured as Resource Server
• BIG-IP APM with OAuth access profiles configured as Resource Client

Discovery Timeline

• October 15, 2025 - CVE-2025-54854 published to NVD
• October 21, 2025 - Last updated in NVD database

Technical Details for CVE-2025-54854

Vulnerability Analysis

This vulnerability stems from an out-of-bounds read condition (CWE-125) in the apmd process, which is the core daemon responsible for managing access policies in BIG-IP APM. When processing certain types of network traffic on a virtual server configured with an OAuth access profile, the daemon fails to properly validate input boundaries before accessing memory locations.

The vulnerability can be exploited remotely over the network without requiring authentication or user interaction. When triggered, the out-of-bounds read causes the apmd process to crash, disrupting all OAuth-based authentication services managed by the affected BIG-IP APM instance. The impact is limited to availability—no confidentiality or integrity breach occurs as a result of this vulnerability.

Organizations using BIG-IP APM for OAuth-based single sign-on (SSO), API authentication, or resource access control are particularly at risk. A successful exploitation would interrupt user authentication flows and potentially cause cascading failures in dependent applications.

Root Cause

The root cause is an out-of-bounds read vulnerability (CWE-125) in the apmd process. When processing malformed or specially crafted traffic targeting OAuth access profiles, the daemon attempts to read memory beyond allocated buffer boundaries. This memory safety violation triggers a crash condition in the apmd process.

Attack Vector

The attack is network-based and targets BIG-IP APM virtual servers configured with OAuth access profiles. An attacker can send specially crafted network traffic to the affected virtual server without requiring any authentication credentials. The attack characteristics include:

• Remote exploitation: The vulnerability can be triggered over the network
• No authentication required: Attackers do not need valid credentials
• No user interaction: The attack does not require any action from legitimate users
• Low complexity: Exploitation does not require specialized conditions or preparation

The specific nature of the "undisclosed traffic" that triggers the vulnerability has not been publicly detailed by F5 to prevent widespread exploitation.

Detection Methods for CVE-2025-54854

Indicators of Compromise

• Unexpected termination or restart of the apmd process on BIG-IP APM systems
• Log entries indicating apmd crashes or segmentation faults
• Intermittent or complete loss of OAuth authentication functionality
• Unusual network traffic patterns targeting virtual servers with OAuth access profiles

Detection Strategies

• Monitor BIG-IP system logs for apmd process crashes using /var/log/apm and system logs
• Configure SNMP traps or syslog forwarding to capture process termination events
• Implement network-level anomaly detection for traffic to OAuth-protected virtual servers
• Use F5 iHealth diagnostics to identify crash patterns and memory-related issues

Monitoring Recommendations

• Enable detailed logging for APM access policies to capture authentication failures
• Set up automated alerting for apmd process restarts via F5 monitoring tools
• Monitor virtual server availability and response times for OAuth-enabled services
• Review BIG-IP system health dashboards for unexpected service interruptions

How to Mitigate CVE-2025-54854

Immediate Actions Required

• Review F5 security advisory K000156602 for affected version details and guidance
• Identify all BIG-IP APM instances with OAuth access profiles configured on virtual servers
• Apply vendor-provided patches or upgrade to fixed versions as soon as available
• Implement network segmentation to limit exposure of affected virtual servers

Patch Information

F5 has released security guidance for this vulnerability in Security Article K000156602. Organizations should consult this advisory for specific version information, patching details, and hotfix availability. Note that software versions that have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable.

Workarounds

• If OAuth access profiles are not required, consider temporarily removing or disabling them on affected virtual servers
• Implement access control lists (ACLs) to restrict traffic to OAuth-protected virtual servers from trusted sources only
• Deploy a web application firewall (WAF) in front of affected systems to filter potentially malicious traffic
• Enable high availability (HA) configurations to minimize service disruption if a crash occurs
• Monitor and auto-restart the apmd process to reduce downtime during exploitation attempts

# Configuration example - Review OAuth access profile configuration
# Check for OAuth access profiles on virtual servers
tmsh list apm profile access all-properties | grep -A5 "oauth"

# Monitor apmd process status
tmsh show sys service apmd

# Review APM logs for crash indicators
tail -f /var/log/apm