How to fix CVE-2025-36504?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Monitor vendor channels for patch availability.

Is Big Ip Access Policy Manager affected by CVE-2025-36504?

CVE-2025-36504 presents significant security risk rated CVSS 8.7. Successful exploitation could significantly impact the confidentiality, integrity, or availability of affected systems. Organizations should apply vendor updates when available and consider compensating controls in the interim.

CVE-2025-36504

HIGH

2025-05-07 [email protected]

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:40 vuln.today

CVE Published

May 07, 2025 - 22:15 nvd

HIGH 8.7

Tags

Denial Of Service Big Ip Access Policy Manager Big Ip Advanced Firewall Manager Big Ip Advanced Web Application Firewall Big Ip Analytics Big Ip Application Acceleration Manager Big Ip Application Security Manager Big Ip Application Visibility And Reporting Big Ip Automation Toolchain Big Ip Carrier Grade Nat Big Ip Container Ingress Services Big Ip Ddos Hybrid Defender Big Ip Domain Name System Big Ip Edge Gateway Big Ip Fraud Protection Service Big Ip Global Traffic Manager Big Ip Link Controller Big Ip Local Traffic Manager Big Ip Policy Enforcement Manager Big Ip Ssl Orchestrator Big Ip Webaccelerator Big Ip Websafe Big Ip Next Central Manager Big Ip Next Cloud Native Network Functions Big Ip Next Service Proxy For Kubernetes

Description

When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Analysis

When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase in memory resource utilization. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical Context

This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Affected products include: F5 Big-Ip Access Policy Manager, F5 Big-Ip Advanced Firewall Manager, F5 Big-Ip Advanced Web Application Firewall, F5 Big-Ip Analytics, F5 Big-Ip Application Acceleration Manager.

Affected Products

F5 Big-Ip Access Policy Manager, F5 Big-Ip Advanced Firewall Manager, F5 Big-Ip Advanced Web Application Firewall, F5 Big-Ip Analytics, F5 Big-Ip Application Acceleration Manager.

Remediation

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Set resource limits, implement rate limiting, validate input sizes.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.6

CVSS: +44

POC: 0

CVE-2025-36504 vulnerability details – vuln.today

Back

CVE-2025-36504

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-36504

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code