CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53859 – NGINX ngx_mail_smtp_module vulnerability
https://notcve.org/view.php?id=CVE-2025-53859
13 Aug 2025 — NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_ma... • https://my.f5.com/manage/s/article/K000152786 • CWE-125: Out-of-bounds Read •
CVSS: 6.9EPSS: 0%CPEs: 10EXPL: 0CVE-2025-54500 – HTTP/2 Vulnerability
https://notcve.org/view.php?id=CVE-2025-54500
13 Aug 2025 — An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000152001 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-48500 – BIG-IP APM VPN web client for macOS vulnerability
https://notcve.org/view.php?id=CVE-2025-48500
13 Aug 2025 — A missing file integrity check vulnerability exists on MacOS F5 VPN browser client installer that may allow a local, authenticated attacker with access to the local file system to replace it with a malicious package installer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000151782 • CWE-353: Missing Support for Integrity Check •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-46405 – BIG-IP APM vulnerability
https://notcve.org/view.php?id=CVE-2025-46405
13 Aug 2025 — When Network Access is configured on a BIG-IP APM virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000151546 • CWE-121: Stack-based Buffer Overflow •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-52585 – BIG-IP Client SSL profile vulnerability
https://notcve.org/view.php?id=CVE-2025-52585
13 Aug 2025 — When a BIG-IP LTM Client SSL profile is configured on a virtual server with SSL Forward Proxy enabled and Anonymous Diffie-Hellman (ADH) ciphers enabled, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000141436 • CWE-476: NULL Pointer Dereference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54809 – F5 Access for Android vulnerability
https://notcve.org/view.php?id=CVE-2025-54809
13 Aug 2025 — F5 Access for Android before version 3.1.2 which uses HTTPS does not verify the remote endpoint identity. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000152049 • CWE-295: Improper Certificate Validation •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-41431 – TMM Vulnerability
https://notcve.org/view.php?id=CVE-2025-41431
07 May 2025 — When connection mirroring is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate in the standby BIG-IP systems in a traffic group. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000150668 • CWE-787: Out-of-bounds Write •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 2CVE-2025-31644 – Appliance mode BIG-IP iControl REST and tmsh vulnerability
https://notcve.org/view.php?id=CVE-2025-31644
07 May 2025 — When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command which may allow an authenticated attacker with administrator role privileges to execute arbitrary system commands. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. F5 BIG-IP version 16.1.4.1 suffers from a command injection vulnerability via an authen... • https://packetstorm.news/files/id/191689 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-35995 – BIG-IP PEM vulnerability
https://notcve.org/view.php?id=CVE-2025-35995
07 May 2025 — When a BIG-IP PEM system is licensed with URL categorization, and the URL categorization policy or an iRule with the urlcat command is enabled on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. When a BIG-IP PEM system is licensed with URL categorization, and the URL categorization policy or an iRule with the urlcat command is enabled on a virtual server, undi... • https://my.f5.com/manage/s/article/K000149952 • CWE-125: Out-of-bounds Read •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-36525 – BIG-IP APM PingAccess Virtual Server Vulnerability
https://notcve.org/view.php?id=CVE-2025-36525
07 May 2025 — When a BIG-IP APM virtual server is configured to use a PingAccess profile, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000150598 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •