CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1695 – NGINX Unit Java Vulnerability
https://notcve.org/view.php?id=CVE-2025-1695
04 Mar 2025 — In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS). There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000149959 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 8.6EPSS: 0%CPEs: 30EXPL: 0CVE-2022-28693 – hw: cpu: Intel: information disclosure via local access
https://notcve.org/view.php?id=CVE-2022-28693
14 Feb 2025 — Unprotected alternative channel of return branch target prediction in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. A flaw was found in hw. The unprotected alternative channel of return branch target prediction in some Intel(R) Processors may allow an authorized user to enable information disclosure via local access. • https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00707.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-420: Unprotected Alternate Channel •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23419 – TLS Session Resumption Vulnerability
https://notcve.org/view.php?id=CVE-2025-23419
05 Feb 2025 — When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client... • https://my.f5.com/manage/s/article/K000149173 • CWE-287: Improper Authentication •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23413 – BIG-IP Next Central Manager vulnerability
https://notcve.org/view.php?id=CVE-2025-23413
05 Feb 2025 — When users log in through the webUI or API using local authentication, BIG-IP Next Central Manager may log sensitive information in the pgaudit log files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000149185 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.0EPSS: 71%CPEs: 3EXPL: 2CVE-2025-20029 – BIG-IP iControl REST and tmsh vulnerability
https://notcve.org/view.php?id=CVE-2025-20029
05 Feb 2025 — Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated attacker to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. A command injection vulnerability exists in the F5 tmsh restricted CLI which allows an authenticated attacker to leverage the commands accessible by a low privilege user in order to bypass restrictions, inject arbitrary commands and obtain... • https://packetstorm.news/files/id/189390 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24319 – BIG-IP Next Central Manager vulnerability
https://notcve.org/view.php?id=CVE-2025-24319
05 Feb 2025 — When BIG-IP Next Central Manager is running, undisclosed requests to the BIG-IP Next Central Manager API can cause the BIG-IP Next Central Manager Node's Kubernetes service to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000148412 • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24320 – BIG-IP Configuration utility vulnerability
https://notcve.org/view.php?id=CVE-2025-24320
05 Feb 2025 — A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. This vulnerability is due to an incomplete fix for CVE-2024-31156 https://my.f5.com/manage/s/article/K000138636 . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000140578 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24497 – BIG-IP PEM vulnerability
https://notcve.org/view.php?id=CVE-2025-24497
05 Feb 2025 — When URL categorization is configured on a virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000140920 • CWE-125: Out-of-bounds Read •
CVSS: 8.7EPSS: 0%CPEs: 4EXPL: 0CVE-2025-24312 – BIG-IP AFM vulnerability
https://notcve.org/view.php?id=CVE-2025-24312
05 Feb 2025 — When BIG-IP AFM is provisioned with IPS module enabled and protocol inspection profile is configured on a virtual server or firewall rule or policy, undisclosed traffic can cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000141380 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.7EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22846 – BIG-IP SIP Vulnerability
https://notcve.org/view.php?id=CVE-2025-22846
05 Feb 2025 — When SIP Session and Router ALG profiles are configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000139780 • CWE-404: Improper Resource Shutdown or Release •