CVE-2025-61935 is a vulnerability identified in F5 BIG-IP devices, specifically versions 15.1.0, 17.1.0, and 17.5.0, when configured with Advanced Web Application Firewall (WAF) or Application Security Manager (ASM) policies on virtual servers. The root cause is an unchecked return value in the bd process, a core component responsible for handling certain request processing tasks. When an attacker sends specially crafted, undisclosed requests, the bd process fails to handle the return value properly, leading to its termination. This abrupt termination causes a denial of service (DoS) condition, disrupting the availability of the BIG-IP service. The vulnerability does not affect confidentiality or integrity, as it does not allow data leakage or unauthorized modification. Exploitation requires no authentication or user interaction and can be performed remotely, increasing the risk of automated attacks. Although no public exploits are currently known, the vulnerability's characteristics suggest it could be weaponized to disrupt critical network services. The vulnerability is tracked under CWE-252, which relates to unchecked return values that can lead to unexpected behavior or crashes. The CVSS v3.1 base score is 7.5, indicating high severity due to network attack vector, low attack complexity, no privileges required, and no user interaction needed, with a high impact on availability. The vulnerability affects supported versions only, as versions past End of Technical Support (EoTS) are excluded from evaluation. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies.

The primary impact of CVE-2025-61935 is a denial of service condition on F5 BIG-IP devices configured with Advanced WAF or ASM policies. This can lead to service outages affecting load balancing, application delivery, and security enforcement functions critical to enterprise and service provider networks. Disruption of BIG-IP services can cause downtime for hosted applications, degrade user experience, and potentially interrupt business operations. Given the widespread use of F5 BIG-IP in large enterprises, cloud providers, and telecommunications infrastructure, the impact can be significant, especially for organizations relying on these devices for secure and reliable application delivery. The vulnerability does not compromise data confidentiality or integrity, but the loss of availability can have cascading effects on dependent systems and services. Attackers can exploit this vulnerability remotely without authentication, increasing the risk of widespread automated attacks or targeted disruption campaigns. Organizations with high availability requirements and those in sectors such as finance, healthcare, government, and critical infrastructure are particularly vulnerable to the operational impact of this DoS vulnerability.

1. Apply official patches or updates from F5 as soon as they become available for affected BIG-IP versions (15.1.0, 17.1.0, 17.5.0). 2. In the absence of patches, consider temporarily disabling Advanced WAF or ASM policies on virtual servers if feasible, to mitigate triggering the bd process failure. 3. Implement network-level protections such as rate limiting, web application firewalls, and intrusion prevention systems to detect and block suspicious or malformed requests targeting the BIG-IP devices. 4. Monitor BIG-IP system logs and process health metrics closely to detect early signs of bd process termination or instability. 5. Restrict access to management and virtual server interfaces to trusted networks and enforce strict access controls to reduce exposure. 6. Employ anomaly detection tools to identify unusual traffic patterns that could indicate exploitation attempts. 7. Maintain an incident response plan specifically addressing potential denial of service scenarios affecting BIG-IP infrastructure. 8. Engage with F5 support and subscribe to security advisories for timely updates and guidance. 9. Consider network segmentation to isolate critical BIG-IP devices and limit the blast radius of potential attacks. 10. Conduct regular security assessments and penetration testing to validate the effectiveness of mitigations and identify residual risks.