CVE-2025-61938 is a vulnerability identified in F5 BIG-IP versions 17.1.0 and 17.5.0, specifically affecting the Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) modules. The root cause is an improper validation of the specified quantity in input, classified under CWE-1284. When a security policy is configured with a URL exceeding 1024 characters in length for the Data Guard Protection Enforcement setting—either manually or via the automatic Policy Builder—the bd process responsible for enforcing this protection repeatedly crashes. This leads to a denial of service condition, as the bd process termination disrupts normal WAF/ASM operations. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The impact is limited to availability, with no direct confidentiality or integrity compromise reported. The vulnerability was published on October 15, 2025, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to ease of exploitation and significant availability impact. No known exploits have been observed in the wild, and no official patches have been released at the time of this report. The vulnerability affects supported versions only, excluding those that have reached End of Technical Support. The improper input validation flaw highlights the need for robust input length checks in security policy configurations to prevent process instability and service disruption.

For European organizations, the primary impact of CVE-2025-61938 is the potential for denial of service on critical web application firewall and security enforcement functions provided by F5 BIG-IP Advanced WAF and ASM modules. Organizations relying on these devices for protecting web applications from attacks could experience service outages or degraded security posture if the bd process crashes repeatedly. This disruption could lead to unprotected web applications, increasing exposure to other threats. The vulnerability does not directly compromise data confidentiality or integrity but affects the availability of security controls, which is critical for maintaining continuous protection. Sectors such as finance, healthcare, government, and critical infrastructure that depend on F5 BIG-IP for web security are particularly at risk. Additionally, the ease of remote exploitation without authentication increases the likelihood of opportunistic attacks. The lack of known exploits currently provides a window for mitigation, but organizations must act proactively to prevent potential exploitation and service interruptions.

1. Immediately review and audit all Data Guard Protection Enforcement settings in F5 BIG-IP Advanced WAF and ASM policies to ensure no URLs exceed 1024 characters in length. 2. Avoid manual or automated configuration of security policies with overly long URLs until a vendor patch is available. 3. Monitor the bd process for stability and set up alerts for repeated crashes or restarts to enable rapid incident response. 4. Implement network-level protections such as rate limiting and input validation at upstream devices to block or filter suspiciously long URLs before they reach the BIG-IP device. 5. Engage with F5 support to obtain any available workarounds or interim fixes and stay informed about patch releases addressing this vulnerability. 6. Plan for timely patch deployment once official updates are released, prioritizing affected BIG-IP versions in production environments. 7. Conduct penetration testing and vulnerability scanning focused on this issue to identify potential exposure. 8. Document and communicate the risk to relevant stakeholders to ensure awareness and preparedness. These steps go beyond generic advice by focusing on configuration auditing, process monitoring, and proactive network filtering tailored to the specific vulnerability characteristics.