CVE-2025-36504 is a high-severity vulnerability affecting F5 BIG-IP devices, specifically versions 17.1.0 and 16.1.0. The vulnerability arises when the BIG-IP HTTP/2 httprouter profile is configured on a virtual server. Under certain undisclosed response conditions, this configuration can lead to uncontrolled memory resource consumption due to allocation of resources without proper limits or throttling, classified under CWE-770. This means that an attacker can potentially send crafted HTTP/2 requests that cause the BIG-IP system to allocate excessive memory, leading to resource exhaustion. The vulnerability does not impact confidentiality or integrity directly but severely affects availability by causing denial of service (DoS) conditions. The CVSS 3.1 base score is 7.5, reflecting a high severity with network attack vector, no privileges or user interaction required, and a scope limited to the vulnerable component. No known exploits are currently reported in the wild, and no patches have been publicly released yet. The vulnerability does not affect versions that have reached End of Technical Support (EoTS). Given the critical role of BIG-IP devices in load balancing, application delivery, and security, this vulnerability poses a significant risk to network infrastructure stability and service continuity.

For European organizations, the impact of CVE-2025-36504 can be substantial. F5 BIG-IP devices are widely deployed in enterprise and service provider networks across Europe for critical functions such as traffic management, SSL termination, and application firewalling. Exploitation of this vulnerability could lead to denial of service by exhausting memory resources on BIG-IP devices, causing service outages or degraded performance. This can disrupt business operations, especially for sectors relying on high availability such as finance, telecommunications, government, and healthcare. The lack of required authentication and user interaction means attackers can remotely trigger the vulnerability, increasing the risk of widespread attacks. Additionally, disruption of BIG-IP devices could indirectly expose organizations to further attacks by disabling security controls embedded in these devices. The absence of known exploits currently provides a window for proactive mitigation, but the high severity score and critical infrastructure role of BIG-IP devices necessitate urgent attention.

European organizations should immediately review their deployment of F5 BIG-IP devices, particularly those running versions 16.1.0 and 17.1.0 with HTTP/2 httprouter profiles enabled. Specific mitigation steps include: 1) Temporarily disabling or reconfiguring the HTTP/2 httprouter profile on virtual servers to prevent triggering the vulnerability until a patch is available. 2) Implementing network-level rate limiting and filtering to restrict anomalous or excessive HTTP/2 traffic targeting BIG-IP devices. 3) Monitoring memory utilization metrics on BIG-IP devices closely to detect unusual spikes indicative of exploitation attempts. 4) Engaging with F5 Networks for early access to patches or workarounds as they become available. 5) Reviewing and tightening access controls to management interfaces to reduce attack surface. 6) Incorporating BIG-IP devices into broader incident response and threat hunting activities to identify potential exploitation. These targeted measures go beyond generic advice by focusing on configuration changes, traffic controls, and proactive monitoring specific to this vulnerability.