- 230/2025
- Critical
F5 has released security updates to address several vulnerabilities affecting multiple F5 products.
The addressed vulnerabilities could allow the attacker to perform denial of service attacks, corrupt memory, bypass security restrictions, gain elevated privileges, obtain sensitive information, execute arbitrary code/commands, and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. F5OS-A and F5OS-C Previlage Escalation Vulnerability (CVE-2025-61955):
- CVSS: 8.8
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
2. BIG-IP SCP and SFTP Security Bypass Vulnerability (CVE-2025-53868):
- CVSS: 8.7
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Bypass Security
Sample of the affected products:
- BIG-IP.
- BIG-IP SSL Orchestrator.
- BIG-IP AFM and ASM.
- F5OS-A and F5OS-C.
- BIG-IP Next SPK and Next CNF.
- BIG-IP Advanced WAF/ASM.
- BIG-IP Next for Kubernetes.
It should be highlighted that F5 is aware that BIG-IP vulnerabilities were exploited in the breach detected on August 9, 2025. The company disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP’s source code and information related to undisclosed vulnerabilities in the product.
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.