CVE-2025-47148 is a vulnerability classified under CWE-404 (Improper Resource Shutdown or Release) affecting F5 BIG-IP versions 15.1.0, 16.1.0, 17.1.0, and 17.5.0. The issue arises when the BIG-IP system is configured simultaneously as a SAML service provider (SP) and identity provider (IdP) with single logout (SLO) enabled in an access policy. Under these conditions, certain undisclosed requests can cause the system to improperly manage memory resources, leading to increased memory consumption. This improper resource handling can degrade system performance and potentially cause denial of service (DoS) by exhausting available memory. The vulnerability can be exploited remotely over the network without requiring user interaction but does require low-level privileges (PR:L). The CVSS v3.1 score is 6.5, reflecting a medium severity primarily due to the impact on availability (A:H) without affecting confidentiality or integrity. The vulnerability does not affect versions that have reached End of Technical Support (EoTS). No public exploits or patches are currently available, indicating that organizations should be vigilant and prepare for remediation once patches are released.

The primary impact of CVE-2025-47148 is on system availability due to increased memory utilization leading to potential denial of service conditions. Organizations relying on F5 BIG-IP for critical SAML authentication services, especially those using both SP and IdP roles with SLO enabled, may experience service degradation or outages. This can disrupt user authentication flows, impacting business operations, access to cloud services, and internal applications. Since BIG-IP devices often serve as gateways for enterprise applications and cloud environments, the disruption could have cascading effects on productivity and security monitoring. Although confidentiality and integrity are not directly affected, the availability impact can indirectly increase risk by causing operational downtime and complicating incident response. The requirement for low privileges to exploit means that insider threats or compromised low-privilege accounts could trigger the issue. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future exploitation.

Organizations should immediately review their BIG-IP configurations to determine if they are using the affected versions (15.1.0, 16.1.0, 17.1.0, 17.5.0) with both SAML SP and IdP roles enabled alongside single logout (SLO). Until official patches are released, consider the following mitigations: 1) Temporarily disable single logout (SLO) in the access policy if feasible to prevent triggering the vulnerability. 2) Restrict access to the BIG-IP management and authentication interfaces to trusted networks and users to reduce exposure. 3) Monitor memory utilization metrics closely for unusual spikes that could indicate exploitation attempts. 4) Implement network-level protections such as rate limiting or web application firewalls (WAF) to detect and block suspicious SAML requests. 5) Maintain strict access controls and audit logs to detect unauthorized low-privilege access. 6) Stay updated with F5 advisories and apply patches promptly once available. 7) Test any configuration changes in a staging environment before production deployment to avoid service disruption.