CVE-2025-61974 is a vulnerability classified under CWE-401 (Missing Release of Memory after Effective Lifetime) affecting F5 BIG-IP devices configured with a client SSL profile on a virtual server. The issue arises because certain undisclosed requests cause the system to allocate memory that is never properly freed, resulting in a gradual increase in memory usage. Over time, this can lead to memory exhaustion, degrading system performance or causing service outages. The vulnerability affects multiple recent versions of BIG-IP (15.1.0, 16.1.0, 17.1.0, and 17.5.0), which are widely deployed in enterprise and service provider environments for load balancing, SSL offloading, and application delivery. The flaw can be exploited remotely without authentication or user interaction, making it accessible to unauthenticated attackers. Although no public exploits have been reported, the potential for denial-of-service attacks is significant due to the high resource consumption impact. The CVSS v3.1 base score of 7.5 reflects a high severity, driven by network attack vector, low attack complexity, no privileges required, no user interaction, and a high impact on availability. The vulnerability does not affect confidentiality or integrity. No patches or mitigation links were provided at the time of disclosure, and versions that have reached End of Technical Support were not evaluated. This vulnerability requires attention from organizations using BIG-IP devices to prevent service disruption.

The primary impact of CVE-2025-61974 is on the availability of F5 BIG-IP devices, which are critical components in many enterprise and service provider networks for managing application traffic and SSL termination. Exploitation can lead to memory exhaustion, causing degraded performance, service slowdowns, or complete denial of service. This can disrupt access to business-critical applications, impacting operational continuity and potentially causing financial and reputational damage. Since the vulnerability can be exploited remotely without authentication, attackers can launch denial-of-service attacks at scale, targeting organizations that rely heavily on BIG-IP for secure and reliable application delivery. The lack of impact on confidentiality and integrity means data breaches or unauthorized data modification are not direct concerns, but service outages can indirectly affect business operations and customer trust. Organizations with high availability requirements and those in sectors such as finance, healthcare, telecommunications, and government are particularly at risk due to the critical nature of their services.

To mitigate CVE-2025-61974, organizations should first verify if their BIG-IP devices are running affected versions (15.1.0, 16.1.0, 17.1.0, or 17.5.0) with client SSL profiles configured on virtual servers. Immediate steps include: 1) Monitoring memory usage closely on BIG-IP devices to detect abnormal increases that could indicate exploitation attempts. 2) Implementing network-level protections such as rate limiting and filtering to restrict potentially malicious traffic patterns targeting SSL profiles. 3) Segregating management and data plane traffic to reduce exposure. 4) Applying any vendor-released patches or hotfixes as soon as they become available. 5) Engaging with F5 support for guidance and potential workarounds, such as disabling or modifying client SSL profiles if feasible without impacting business operations. 6) Conducting regular vulnerability assessments and penetration testing focused on BIG-IP configurations. 7) Ensuring robust incident response plans are in place to quickly address potential denial-of-service incidents. Avoid running unsupported or end-of-support versions to maintain access to security updates.