CVSS: 8.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-23412 – BIG-IP APM access profile vulnerability
https://notcve.org/view.php?id=CVE-2025-23412
05 Feb 2025 — When BIG-IP APM Access Profile is configured on a virtual server, undisclosed request can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000141003 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23239 – BIG-IP iControl REST vulnerability
https://notcve.org/view.php?id=CVE-2025-23239
05 Feb 2025 — When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000138757 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.9EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24326 – BIG-IP Advanced WAF/ASM BADoS vulnerability
https://notcve.org/view.php?id=CVE-2025-24326
05 Feb 2025 — When BIG-IP Advanced WAF/ASM Behavioral DoS (BADoS) TLS Signatures feature is configured, undisclosed traffic can case an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000140950 • CWE-787: Out-of-bounds Write •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-20045 – BIG-IP SIP MRF Vulnerability
https://notcve.org/view.php?id=CVE-2025-20045
05 Feb 2025 — When SIP session Application Level Gateway mode (ALG) profile with Passthru Mode enabled and SIP router ALG profile are configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000138932 • CWE-476: NULL Pointer Dereference •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-22891 – BIG-IP PEM Vulnerability
https://notcve.org/view.php?id=CVE-2025-22891
05 Feb 2025 — When BIG-IP PEM Control Plane listener Virtual Server is configured with Diameter Endpoint profile, undisclosed traffic can cause the Virtual Server to stop processing new client connections and an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000139778 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 8.9EPSS: 0%CPEs: 3EXPL: 0CVE-2025-20058 – BIG-IP message routing vulnerability
https://notcve.org/view.php?id=CVE-2025-20058
05 Feb 2025 — When a BIG-IP message routing profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated When a BIG-IP message routing profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated • https://my.f5.com/manage/s/article/K000140947 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-23415 – BIG-IP APM Endpoint Inspection vulnerability
https://notcve.org/view.php?id=CVE-2025-23415
05 Feb 2025 — An insufficient verification of data authenticity vulnerability exists in BIG-IP APM Access Policy endpoint inspection that may allow an attacker to bypass endpoint inspection checks for VPN connection initiated thru BIG-IP APM browser network access VPN client for Windows, macOS and Linux. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000139656 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21091 – BIG-IP SNMP vulnerability
https://notcve.org/view.php?id=CVE-2025-21091
05 Feb 2025 — When SNMP v1 or v2c are disabled on the BIG-IP, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated • https://my.f5.com/manage/s/article/K000140933 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 8.9EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21087 – TMM Vulnerability
https://notcve.org/view.php?id=CVE-2025-21087
05 Feb 2025 — When Client or Server SSL profiles are configured on a Virtual Server, or DNSSEC signing operations are in use, undisclosed traffic can cause an increase in memory and CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated • https://my.f5.com/manage/s/article/K000134888 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10318 – NGINX OpenID Connect Vulnerability
https://notcve.org/view.php?id=CVE-2024-10318
06 Nov 2024 — A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session. • https://my.f5.com/manage/s/article/K000148232 • CWE-384: Session Fixation •