CVE-2025-59781 Overview
CVE-2025-59781 is a resource exhaustion vulnerability affecting F5 BIG-IP and BIG-IP Next Cloud-Native Network Functions (CNF) products when DNS cache is configured on a virtual server. Specially crafted DNS queries can trigger uncontrolled memory consumption, leading to potential denial of service conditions. This vulnerability is classified under CWE-459 (Incomplete Cleanup), indicating that the system fails to properly release memory resources after processing certain DNS requests.
Critical Impact
Attackers can remotely exhaust system memory on affected BIG-IP devices by sending undisclosed DNS queries, potentially causing service disruption across the entire F5 infrastructure.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Domain Name System (DNS)
- F5 BIG-IP Global Traffic Manager (GTM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Next Cloud-Native Network Functions (CNF)
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP SSL Orchestrator
Discovery Timeline
- October 15, 2025 - CVE-2025-59781 published to NVD
- October 22, 2025 - Last updated in NVD database
Technical Details for CVE-2025-59781
Vulnerability Analysis
This vulnerability stems from improper memory management within the DNS cache functionality of F5 BIG-IP systems. When DNS caching is enabled on a virtual server, the system processes and stores DNS query responses to improve performance. However, when certain undisclosed DNS queries are received, the system allocates memory for processing but fails to properly release this memory after the operation completes.
The vulnerability can be exploited remotely without authentication, as DNS services typically accept queries from any network source. An attacker can send a continuous stream of malicious DNS queries to gradually consume available system memory. As memory resources become depleted, the affected BIG-IP device may experience performance degradation, service instability, or complete denial of service.
The impact extends beyond the DNS service itself—since BIG-IP devices often serve as critical infrastructure components handling load balancing, application delivery, and security functions, memory exhaustion can affect all services running on the platform.
Root Cause
The root cause is classified as CWE-459 (Incomplete Cleanup). The DNS cache implementation does not properly deallocate memory buffers after processing specific types of DNS queries. This creates a memory leak condition where allocated memory is never returned to the system's available memory pool. Over time, or with sustained attack traffic, this leads to progressive memory exhaustion.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker with network access to a BIG-IP virtual server configured with DNS caching can exploit this vulnerability by:
- Identifying BIG-IP systems with DNS cache enabled on virtual servers
- Crafting specific DNS queries that trigger the memory leak condition
- Sending sustained DNS query traffic to exhaust available memory
- Causing denial of service when memory resources are depleted
The vulnerability affects both traditional BIG-IP deployments and the newer BIG-IP Next CNF platform, indicating the issue exists in shared DNS caching code. Organizations running DNS services or using DNS caching for performance optimization on their BIG-IP infrastructure are at risk.
Detection Methods for CVE-2025-59781
Indicators of Compromise
- Unusual increase in DNS query volume targeting BIG-IP virtual servers with DNS caching enabled
- Progressive memory utilization growth on BIG-IP devices without corresponding traffic increases
- BIG-IP system alerts indicating high memory utilization or memory exhaustion conditions
- Service degradation or unresponsiveness on BIG-IP managed services
Detection Strategies
- Monitor BIG-IP memory utilization metrics through SNMP, iControl REST API, or integrated monitoring solutions for abnormal growth patterns
- Implement DNS query logging and analysis to identify unusual query patterns or volumes from specific sources
- Configure memory utilization alerts in F5 BIG-IQ or third-party monitoring platforms to trigger on threshold breaches
- Review BIG-IP system logs (/var/log/ltm) for memory-related warnings or DNS cache errors
Monitoring Recommendations
- Establish baseline memory utilization for BIG-IP devices and configure alerting for deviations exceeding 10-15% above normal
- Deploy network-level DNS traffic analysis to detect potential attack patterns before they impact system resources
- Implement SentinelOne Singularity Platform for comprehensive endpoint visibility and behavioral analysis of network infrastructure
- Configure periodic DNS cache statistics review using tmsh show ltm dns cache commands to track cache behavior anomalies
How to Mitigate CVE-2025-59781
Immediate Actions Required
- Review all BIG-IP virtual server configurations to identify those with DNS cache enabled
- Consult the F5 Knowledge Base Article K000150637 for specific patch information and affected version details
- Prioritize patching for internet-facing BIG-IP systems with DNS caching functionality
- Implement network-level rate limiting for DNS traffic to reduce potential attack impact
Patch Information
F5 has published security advisory K000150637 addressing this vulnerability. Organizations should consult the official F5 security advisory for detailed version-specific patch information, as software versions that have reached End of Technical Support (EoTS) are not evaluated. Apply the appropriate hotfix or upgrade to a fixed version as specified in the advisory.
Workarounds
- If DNS caching is not required, consider disabling DNS cache on affected virtual servers as a temporary mitigation
- Implement external DNS rate limiting through network firewalls or dedicated DDoS protection appliances
- Configure memory monitoring and automated alerts to detect potential exploitation attempts early
- Segment network access to BIG-IP DNS services to limit exposure to trusted sources where possible
# Check DNS cache configuration on BIG-IP
tmsh list ltm dns cache
# Monitor memory utilization
tmsh show sys memory
# Review DNS cache statistics for anomalies
tmsh show ltm dns cache records
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
