CVE-2025-54858 is a vulnerability classified under CWE-674 (Uncontrolled Recursion) affecting F5 BIG-IP devices running Advanced WAF or ASM modules. The issue occurs when a security policy is configured with a JSON content profile that includes a malformed JSON schema. When such a policy is applied to a virtual server, specially crafted requests containing malformed JSON can trigger uncontrolled recursion within the bd process, causing it to terminate unexpectedly. This results in a denial of service condition impacting the availability of the BIG-IP device's security functions. The vulnerability affects multiple recent versions of BIG-IP (15.1.0, 16.1.0, 17.1.0, and 17.5.0) and does not require any authentication or user interaction to exploit, making it remotely exploitable over the network. The CVSS v3.1 base score is 7.5, reflecting a high severity primarily due to the impact on availability (A:H) and the ease of exploitation (AV:N/AC:L/PR:N/UI:N). Although no public exploits have been reported yet, the vulnerability could be leveraged by attackers to disrupt critical application delivery and security services provided by BIG-IP devices. The issue is particularly concerning for organizations that rely heavily on BIG-IP for web application firewalling and security policy enforcement, as the termination of the bd process could lead to service outages or degraded security postures. The vendor has not yet released patches, and software versions that have reached End of Technical Support are not evaluated for this vulnerability.

For European organizations, the impact of CVE-2025-54858 can be significant, especially for those using F5 BIG-IP devices to protect critical web applications and infrastructure. The vulnerability can cause denial of service by crashing the bd process, potentially leading to downtime of security policies and exposing applications to unfiltered traffic or service interruptions. This can affect sectors such as finance, healthcare, government, and telecommunications, where BIG-IP devices are commonly deployed for application delivery and security. Disruptions could result in operational losses, regulatory compliance issues (e.g., GDPR implications if service availability is compromised), and reputational damage. Additionally, the ease of remote exploitation without authentication increases the risk of opportunistic attacks. Organizations with complex JSON content profiles in their security policies are particularly vulnerable. The lack of known exploits currently provides a window for proactive mitigation, but the threat landscape could evolve rapidly once exploit code becomes available.

1. Immediately review and validate all JSON content profiles and schemas used in BIG-IP Advanced WAF and ASM configurations to ensure they are well-formed and free of errors that could trigger recursion. 2. Monitor the bd process and system logs for abnormal terminations or crashes that could indicate exploitation attempts. 3. Implement network-level protections such as rate limiting and filtering to reduce exposure to malformed JSON payloads from untrusted sources. 4. Restrict access to BIG-IP management and virtual servers to trusted networks and enforce strict access controls. 5. Stay informed on vendor advisories and apply official patches or updates as soon as they become available. 6. Consider deploying redundancy and failover mechanisms to maintain service availability in case of bd process failure. 7. Conduct internal penetration testing focusing on malformed JSON inputs to identify potential weaknesses. 8. Document and test incident response procedures for denial of service events related to BIG-IP devices. These steps go beyond generic advice by focusing on configuration hygiene, proactive monitoring, and network-level defenses tailored to the nature of this vulnerability.