CVE-2025-61935 Overview
CVE-2025-61935 is a denial of service vulnerability affecting F5 BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM). When a security policy is configured on a virtual server, specially crafted requests can cause the bd (daemon) process to terminate unexpectedly. This vulnerability allows remote attackers to disrupt web application firewall protections without authentication, potentially leaving protected applications exposed to attacks during the service disruption.
Critical Impact
Remote attackers can cause the bd process to terminate, resulting in denial of service for WAF/ASM security functions and potentially leaving protected applications vulnerable to attack.
Affected Products
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Application Security Manager
- F5 BIG-IP Advanced WAF version 17.5.0
Discovery Timeline
- 2025-10-15 - CVE-2025-61935 published to NVD
- 2025-10-21 - Last updated in NVD database
Technical Details for CVE-2025-61935
Vulnerability Analysis
This vulnerability is classified under CWE-252 (Unchecked Return Value). The bd process, which is responsible for enforcing security policies on virtual servers configured with BIG-IP Advanced WAF or ASM, fails to properly handle certain malformed requests. When specific undisclosed request patterns are processed, the daemon does not adequately check return values from internal function calls, leading to an unhandled exception that causes the process to terminate.
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for internet-facing deployments. While the vulnerability does not allow data exfiltration or system compromise, the availability impact is significant as the security policy enforcement ceases when the bd process terminates.
Root Cause
The root cause is an unchecked return value condition (CWE-252) within the bd process. When processing certain request types, the daemon fails to validate the return status of internal operations before proceeding. This oversight allows malformed input to trigger an unexpected code path that terminates the process rather than gracefully handling the error condition.
Attack Vector
The attack is conducted over the network against BIG-IP systems with Advanced WAF or ASM security policies configured on virtual servers. An unauthenticated attacker can send specially crafted HTTP requests to the protected virtual server. When the bd process attempts to analyze these requests against the configured security policy, the unchecked return value condition is triggered, causing process termination.
The vulnerability does not require complex attack conditions—a simple network request can trigger the issue. The impact is limited to availability, with no demonstrated capability for confidentiality or integrity compromise. However, the disruption of WAF/ASM protections could create a window of opportunity for secondary attacks against the protected applications.
Detection Methods for CVE-2025-61935
Indicators of Compromise
- Unexpected termination or restart events of the bd process in BIG-IP system logs
- Repeated crash-and-restart cycles of the ASM/WAF daemon service
- Sudden gaps in WAF/ASM policy enforcement logging indicating service interruption
- Anomalous HTTP request patterns preceding bd process failures
Detection Strategies
- Monitor BIG-IP system logs (/var/log/asm) for bd process crash events or unexpected restarts
- Implement alerting on ASM/WAF daemon health status changes via SNMP or syslog
- Deploy network monitoring to identify unusual request patterns targeting protected virtual servers
- Use BIG-IP iHealth diagnostics to identify vulnerability exposure in your environment
Monitoring Recommendations
- Configure real-time alerts for bd process state changes using BIG-IP monitoring tools
- Establish baseline metrics for bd process uptime and restart frequency to detect anomalies
- Correlate WAF/ASM log gaps with application traffic patterns to identify potential exploitation attempts
- Review F5 iHealth reports regularly for security advisories affecting deployed versions
How to Mitigate CVE-2025-61935
Immediate Actions Required
- Review the F5 Security Advisory for specific remediation guidance
- Identify all BIG-IP systems running affected versions with WAF/ASM policies configured
- Plan upgrade windows to apply security patches to affected systems
- Consider implementing additional perimeter controls to filter potentially malicious traffic
Patch Information
F5 has released security patches addressing this vulnerability. Refer to the F5 Security Advisory K000154664 for detailed information on fixed versions and upgrade paths. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable.
Workarounds
- Consult the F5 security advisory for any temporary mitigations or configuration changes
- Implement rate limiting on virtual servers to reduce exposure to request flooding
- Consider deploying additional network-layer filtering to block anomalous request patterns
- Enable process monitoring and automatic restart for the bd daemon to minimize service disruption
# Check BIG-IP version and bd process status
tmsh show sys version
tmsh show sys service bd
# Monitor bd process health
tail -f /var/log/asm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
