CVE-2025-61938 is a vulnerability identified in F5 BIG-IP versions 17.1.0 and 17.5.0, specifically affecting the Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) modules. The issue arises when a security policy is configured with a URL exceeding 1024 characters in the Data Guard Protection Enforcement setting, either manually or via the automatic Policy Builder. This triggers improper validation of the input length (classified under CWE-1284), causing the 'bd' process—responsible for enforcing security policies—to repeatedly terminate. The repeated crashing of this critical process results in denial-of-service (DoS), disrupting the availability of the BIG-IP device's security functions. The vulnerability is remotely exploitable without requiring any privileges or user interaction, increasing its risk profile. While no public exploits have been reported yet, the vulnerability's nature and the critical role of BIG-IP devices in network security make it a high-priority issue. The vulnerability does not impact confidentiality or integrity but severely affects availability, potentially leading to service outages or degraded security posture. The vendor has not provided patches at the time of this report, and versions that have reached End of Technical Support are excluded from evaluation.

The primary impact of CVE-2025-61938 is a denial-of-service condition on F5 BIG-IP devices running affected versions, caused by the repeated termination of the 'bd' process. This can lead to unavailability of critical security functions such as web application firewall protections and application security enforcement, exposing organizations to increased risk from other attacks due to disabled or degraded defenses. Enterprises relying on BIG-IP for traffic management and security may experience service disruptions, potentially affecting business continuity and customer trust. The vulnerability does not expose sensitive data or allow unauthorized access but can indirectly increase risk by disabling protective controls. Given the remote, unauthenticated exploitability and the widespread deployment of BIG-IP in large enterprises, service providers, and government networks, the impact can be significant, especially in environments requiring high availability and robust security.

To mitigate CVE-2025-61938, organizations should: 1) Immediately review and restrict the length of URLs configured in the Data Guard Protection Enforcement setting to not exceed 1024 characters, avoiding manual or automated policy configurations that could trigger the vulnerability. 2) Monitor the stability of the 'bd' process and set up alerts for unexpected terminations or service disruptions in BIG-IP devices. 3) Apply any vendor-released patches or updates as soon as they become available, even if the current versions are still supported. 4) Implement network-level protections such as rate limiting and input validation to reduce the likelihood of maliciously crafted long URLs reaching the BIG-IP device. 5) Consider deploying redundant BIG-IP devices or failover mechanisms to maintain availability in case of process crashes. 6) Engage with F5 support for guidance and potential workarounds until official patches are released. 7) Regularly audit security policies and configurations to ensure compliance with recommended limits and best practices.