CVE-2025-47148: CWE-404 Improper Resource Shutdown or Release in F5 BIG-IP
CVE-2025-47148 is a medium severity vulnerability in F5 BIG-IP systems configured as both SAML service provider and identity provider with single logout enabled. It involves improper resource shutdown or release, leading to increased memory utilization when processing certain undisclosed requests. This can cause denial of service conditions due to resource exhaustion. The vulnerability requires low privileges but no user interaction and affects multiple recent BIG-IP versions. No known exploits are currently reported in the wild. European organizations relying on BIG-IP for identity federation and access management could face service disruptions if targeted. Mitigation involves monitoring memory usage closely and applying vendor patches once available. Countries with high adoption of F5 BIG-IP in critical infrastructure and financial sectors are most at risk.
AI Analysis
Technical Summary
CVE-2025-47148 is a vulnerability classified under CWE-404 (Improper Resource Shutdown or Release) affecting F5 BIG-IP versions 15.1.0, 16.1.0, 17.1.0, and 17.5.0. The issue arises when the BIG-IP system is configured simultaneously as a SAML service provider (SP) and identity provider (IdP), with single logout (SLO) enabled on the access policy. Under these conditions, certain undisclosed requests can cause the system to improperly manage memory resources, resulting in increased memory consumption. This improper resource handling can lead to resource exhaustion, potentially causing denial of service (DoS) by degrading system performance or causing crashes. The vulnerability has a CVSS v3.1 base score of 6.5, indicating medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). There are no known exploits in the wild at the time of publication, and no patches have been released yet. The vulnerability affects supported BIG-IP versions only, excluding those that have reached End of Technical Support (EoTS).
Potential Impact
For European organizations, especially those using F5 BIG-IP appliances for identity federation and access management, this vulnerability poses a risk of denial of service through memory exhaustion. This can disrupt authentication and authorization services, impacting business continuity and user access to critical applications. Sectors such as finance, telecommunications, government, and critical infrastructure that rely heavily on SAML-based single sign-on (SSO) and single logout (SLO) mechanisms are particularly vulnerable. Service outages could lead to operational downtime, loss of productivity, and potential regulatory compliance issues related to availability. Although the vulnerability does not compromise confidentiality or integrity, the availability impact alone can have significant operational and reputational consequences.
Mitigation Recommendations
Organizations should immediately review their BIG-IP configurations to identify if the system is set up as both SAML SP and IdP with SLO enabled. Until patches are released, administrators should consider temporarily disabling single logout functionality if feasible, or segregating SP and IdP roles onto separate BIG-IP instances to avoid triggering the vulnerability. Monitoring memory usage and system performance metrics closely can help detect abnormal resource consumption early. Implement network-level protections such as rate limiting or filtering to reduce the risk of undisclosed requests causing resource exhaustion. Engage with F5 support for guidance and prioritize patch deployment as soon as vendor updates become available. Additionally, conduct thorough testing in staging environments before applying any configuration changes or patches in production.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium
CVE-2025-47148: CWE-404 Improper Resource Shutdown or Release in F5 BIG-IP
Description
CVE-2025-47148 is a medium severity vulnerability in F5 BIG-IP systems configured as both SAML service provider and identity provider with single logout enabled. It involves improper resource shutdown or release, leading to increased memory utilization when processing certain undisclosed requests. This can cause denial of service conditions due to resource exhaustion. The vulnerability requires low privileges but no user interaction and affects multiple recent BIG-IP versions. No known exploits are currently reported in the wild. European organizations relying on BIG-IP for identity federation and access management could face service disruptions if targeted. Mitigation involves monitoring memory usage closely and applying vendor patches once available. Countries with high adoption of F5 BIG-IP in critical infrastructure and financial sectors are most at risk.
AI-Powered Analysis
Technical Analysis
CVE-2025-47148 is a vulnerability classified under CWE-404 (Improper Resource Shutdown or Release) affecting F5 BIG-IP versions 15.1.0, 16.1.0, 17.1.0, and 17.5.0. The issue arises when the BIG-IP system is configured simultaneously as a SAML service provider (SP) and identity provider (IdP), with single logout (SLO) enabled on the access policy. Under these conditions, certain undisclosed requests can cause the system to improperly manage memory resources, resulting in increased memory consumption. This improper resource handling can lead to resource exhaustion, potentially causing denial of service (DoS) by degrading system performance or causing crashes. The vulnerability has a CVSS v3.1 base score of 6.5, indicating medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). There are no known exploits in the wild at the time of publication, and no patches have been released yet. The vulnerability affects supported BIG-IP versions only, excluding those that have reached End of Technical Support (EoTS).
Potential Impact
For European organizations, especially those using F5 BIG-IP appliances for identity federation and access management, this vulnerability poses a risk of denial of service through memory exhaustion. This can disrupt authentication and authorization services, impacting business continuity and user access to critical applications. Sectors such as finance, telecommunications, government, and critical infrastructure that rely heavily on SAML-based single sign-on (SSO) and single logout (SLO) mechanisms are particularly vulnerable. Service outages could lead to operational downtime, loss of productivity, and potential regulatory compliance issues related to availability. Although the vulnerability does not compromise confidentiality or integrity, the availability impact alone can have significant operational and reputational consequences.
Mitigation Recommendations
Organizations should immediately review their BIG-IP configurations to identify if the system is set up as both SAML SP and IdP with SLO enabled. Until patches are released, administrators should consider temporarily disabling single logout functionality if feasible, or segregating SP and IdP roles onto separate BIG-IP instances to avoid triggering the vulnerability. Monitoring memory usage and system performance metrics closely can help detect abnormal resource consumption early. Implement network-level protections such as rate limiting or filtering to reduce the risk of undisclosed requests causing resource exhaustion. Engage with F5 support for guidance and prioritize patch deployment as soon as vendor updates become available. Additionally, conduct thorough testing in staging environments before applying any configuration changes or patches in production.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- f5
- Date Reserved
- 2025-10-03T23:04:03.858Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68efa99327d7577a1800134b
Added to database: 10/15/2025, 2:02:59 PM
Last enriched: 10/23/2025, 1:02:25 AM
Last updated: 12/4/2025, 10:15:35 PM
Views: 59
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-10285: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in silabs.com Simplicity Studio V6
HighCVE-2025-1910: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in WatchGuard Mobile VPN with SSL Client
MediumCVE-2025-12986: CWE-410 Insufficient Resource Pool in silabs.com Gecko SDK
MediumCVE-2025-53704: CWE-640 in MAXHUB Pivot client application
HighCVE-2025-12196: CWE-787 Out-of-bounds Write in WatchGuard Fireware OS
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.