Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61935

CVE-2025-61935: F5 BIG-IP Advanced WAF DoS Vulnerability

CVE-2025-61935 is a denial of service vulnerability in F5 BIG-IP Advanced WAF that allows undisclosed requests to terminate the bd process. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-61935 Overview

CVE-2025-61935 is a denial of service vulnerability affecting F5 BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM). When a security policy is configured on a virtual server, specially crafted requests can cause the bd (daemon) process to terminate unexpectedly. This vulnerability allows remote attackers to disrupt web application firewall protections without authentication, potentially leaving protected applications exposed to attacks during the service disruption.

Critical Impact

Remote attackers can cause the bd process to terminate, resulting in denial of service for WAF/ASM security functions and potentially leaving protected applications vulnerable to attack.

Affected Products

  • F5 BIG-IP Advanced Web Application Firewall
  • F5 BIG-IP Application Security Manager
  • F5 BIG-IP Advanced WAF version 17.5.0

Discovery Timeline

  • 2025-10-15 - CVE-2025-61935 published to NVD
  • 2025-10-21 - Last updated in NVD database

Technical Details for CVE-2025-61935

Vulnerability Analysis

This vulnerability is classified under CWE-252 (Unchecked Return Value). The bd process, which is responsible for enforcing security policies on virtual servers configured with BIG-IP Advanced WAF or ASM, fails to properly handle certain malformed requests. When specific undisclosed request patterns are processed, the daemon does not adequately check return values from internal function calls, leading to an unhandled exception that causes the process to terminate.

The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for internet-facing deployments. While the vulnerability does not allow data exfiltration or system compromise, the availability impact is significant as the security policy enforcement ceases when the bd process terminates.

Root Cause

The root cause is an unchecked return value condition (CWE-252) within the bd process. When processing certain request types, the daemon fails to validate the return status of internal operations before proceeding. This oversight allows malformed input to trigger an unexpected code path that terminates the process rather than gracefully handling the error condition.

Attack Vector

The attack is conducted over the network against BIG-IP systems with Advanced WAF or ASM security policies configured on virtual servers. An unauthenticated attacker can send specially crafted HTTP requests to the protected virtual server. When the bd process attempts to analyze these requests against the configured security policy, the unchecked return value condition is triggered, causing process termination.

The vulnerability does not require complex attack conditions—a simple network request can trigger the issue. The impact is limited to availability, with no demonstrated capability for confidentiality or integrity compromise. However, the disruption of WAF/ASM protections could create a window of opportunity for secondary attacks against the protected applications.

Detection Methods for CVE-2025-61935

Indicators of Compromise

  • Unexpected termination or restart events of the bd process in BIG-IP system logs
  • Repeated crash-and-restart cycles of the ASM/WAF daemon service
  • Sudden gaps in WAF/ASM policy enforcement logging indicating service interruption
  • Anomalous HTTP request patterns preceding bd process failures

Detection Strategies

  • Monitor BIG-IP system logs (/var/log/asm) for bd process crash events or unexpected restarts
  • Implement alerting on ASM/WAF daemon health status changes via SNMP or syslog
  • Deploy network monitoring to identify unusual request patterns targeting protected virtual servers
  • Use BIG-IP iHealth diagnostics to identify vulnerability exposure in your environment

Monitoring Recommendations

  • Configure real-time alerts for bd process state changes using BIG-IP monitoring tools
  • Establish baseline metrics for bd process uptime and restart frequency to detect anomalies
  • Correlate WAF/ASM log gaps with application traffic patterns to identify potential exploitation attempts
  • Review F5 iHealth reports regularly for security advisories affecting deployed versions

How to Mitigate CVE-2025-61935

Immediate Actions Required

  • Review the F5 Security Advisory for specific remediation guidance
  • Identify all BIG-IP systems running affected versions with WAF/ASM policies configured
  • Plan upgrade windows to apply security patches to affected systems
  • Consider implementing additional perimeter controls to filter potentially malicious traffic

Patch Information

F5 has released security patches addressing this vulnerability. Refer to the F5 Security Advisory K000154664 for detailed information on fixed versions and upgrade paths. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable.

Workarounds

  • Consult the F5 security advisory for any temporary mitigations or configuration changes
  • Implement rate limiting on virtual servers to reduce exposure to request flooding
  • Consider deploying additional network-layer filtering to block anomalous request patterns
  • Enable process monitoring and automatic restart for the bd daemon to minimize service disruption
bash
# Check BIG-IP version and bd process status
tmsh show sys version
tmsh show sys service bd
# Monitor bd process health
tail -f /var/log/asm

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne