CVE-2025-61935 is a vulnerability identified in F5 BIG-IP devices, specifically affecting versions 15.1.0, 17.1.0, and 17.5.0. The flaw arises from an unchecked return value in the bd process, which is responsible for handling certain security functions when a BIG-IP Advanced Web Application Firewall (WAF) or Application Security Manager (ASM) policy is configured on a virtual server. When the system receives certain undisclosed requests, this unchecked return value can cause the bd process to terminate unexpectedly. The termination of this process results in a denial of service (DoS) condition, as the security functions provided by the bd process become unavailable. The vulnerability does not impact confidentiality or integrity but severely affects availability. The CVSS 3.1 base score is 7.5, reflecting a high severity due to network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The scope is unchanged (S:U), and the impact is limited to availability (A:H) with no confidentiality or integrity impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is particularly concerning because BIG-IP devices are often deployed at network perimeters to protect critical applications and infrastructure, making any disruption potentially impactful. The CWE-252 classification indicates a failure to check a return value, a common programming error that can lead to unexpected behavior such as process crashes.

For European organizations, the impact of CVE-2025-61935 can be significant due to the widespread use of F5 BIG-IP devices in enterprise networks, government agencies, and critical infrastructure. The bd process termination leads to denial of service of the Advanced WAF or ASM security policies, potentially exposing web applications to unmitigated attacks during the downtime. This can result in increased risk of exploitation of other vulnerabilities or attacks such as web application attacks, data exfiltration, or service disruption. The loss of availability of these security functions can degrade the overall security posture and may lead to compliance issues with regulations such as GDPR if data protection is compromised indirectly. Additionally, the downtime may affect business continuity and cause operational disruptions. Since no authentication or user interaction is required, attackers can exploit this remotely and anonymously, increasing the threat surface. The lack of known exploits currently provides a window for proactive mitigation, but the high severity score demands urgent attention.

1. Monitor BIG-IP devices closely for any abnormal bd process terminations or service disruptions, using logs and system health metrics. 2. Restrict network access to management and virtual servers hosting WAF/ASM policies to trusted sources only, using network segmentation and access control lists (ACLs). 3. Implement strict input validation and filtering at upstream layers to reduce exposure to malformed or unexpected requests that could trigger the vulnerability. 4. Engage with F5 Networks for early access to patches or hotfixes as they become available, and plan for rapid deployment once released. 5. Consider temporary workarounds such as disabling or modifying WAF/ASM policies on affected virtual servers if feasible, balancing security and availability risks. 6. Conduct regular vulnerability assessments and penetration tests focusing on BIG-IP devices to detect potential exploitation attempts. 7. Maintain an incident response plan that includes procedures for handling denial of service events affecting critical security infrastructure. 8. Educate network and security teams about this specific vulnerability to ensure awareness and readiness to respond promptly.