CERT-In warns of critical vulnerabilities in F5 products, exposing systems to DoS attacks, data theft, and downtime.

Overview

CERT-In (Indian Computer Emergency Response Team) has issued a critical security advisory (CIVN-2025-0035) detailing several vulnerabilities affecting various F5 products. If exploited, these vulnerabilities could lead to security breaches, including arbitrary code execution, data theft, system downtime, and denial-of-service (DoS) attacks.

The flaws impact a wide range of F5 solutions, which enterprises use to optimize application delivery, ensure high performance, and secure critical network services. Given the use of F5 products in mission-critical environments, the impact of these vulnerabilities can be severe, potentially jeopardizing the confidentiality, integrity, and availability of affected systems.

The advisory highlights multiple security issues, including buffer overflows, session hijacking, and improper memory management. Organizations must act quickly to mitigate these risks.

Affected F5 Products

The vulnerabilities disclosed in CIVN-2025-0035 impact several F5 product families, including:

• BIG-IP Next (all modules)
• BIG-IP Next Central Manager
• BIG-IP Next SPK
• BIG-IP Next CNF
• BIG-IP 15.x, 16.x, 17.x
• BIG-IQ Centralized Management 8.x
• F5 Distributed Cloud (all services)
• F5 Silverline (all services)
• NGINX One Console
• NGINX (all products)
• Traffix SDC
• F50S-A, F50S-C

These products are commonly used by enterprises for application delivery, load balancing, and managing network security, making them critical to business operations. Vulnerabilities in these systems, particularly in widely used modules like BIG-IP and NGINX, represent cyber risks to enterprise security.

Overview of the Vulnerabilities in F5 Products

Several security flaws were identified across F5’s product suite. These vulnerabilities in F5 products are particularly concerning because they can be exploited remotely, causing severe disruptions:

1. Denial-of-Service (DoS) Vulnerability in zlib (CVE-2016-9840, CVE-2016-9841): A vulnerability within the zlib 1.2.8 library, located in the inffast.c file, exposes systems to a DoS condition. By exploiting improper pointer arithmetic, an attacker could cause undefined behavior, which may lead to system unresponsiveness or arbitrary code execution. This vulnerability is especially critical because it could disrupt business operations if left unaddressed.
2. Session Fixation Vulnerability in Apache Tomcat (CVE-2019-17563): A race condition in the Apache Tomcat authentication process allows attackers to hijack a user’s session after login, gaining unauthorized access without needing the user’s credentials. This session hijacking risk could expose sensitive data and allow attackers to perform unauthorized actions within the system.
3. Denial-of-Service Vulnerability in MiniZip (CVE-2023-45853): The MiniZip component in zlib 1.3 introduces an integer overflow, which can cause buffer overflows. Attackers can exploit this flaw by processing long filenames or comments, leading to memory corruption. This vulnerability poses a risk of DoS or arbitrary code execution if exploited.
4. Denial-of-Service Vulnerability in Tcpdump (CVE-2020-8037): An issue in the Tcpdump ppp decapsulator can cause memory management errors, leading to DoS conditions. Attackers can trigger excessive memory allocation, leading to resource exhaustion and system instability. This vulnerability, though rated as low severity, still poses a risk to affected systems, especially if combined with other exploits.

Risk and Impact Assessment

The vulnerabilities detailed in the advisory present substantial risks, particularly in areas related to system availability, data confidentiality, and operational integrity. Specifically:

• Unauthorized Access: Several vulnerabilities, such as session hijacking and buffer overflows, could allow attackers to gain unauthorized access to sensitive data and system functionalities, risking potential data theft or malicious modifications.
• Service Disruption: The DoS vulnerabilities, especially those involving the zlib library and Tcpdump, can cause severe service interruptions. If exploited, these flaws could result in extended system downtimes, affecting business operations.
• Data Integrity and Confidentiality: Exploiting these vulnerabilities could allow attackers to tamper with configurations, steal private data, or inject malicious code into the system, leading to a loss of integrity and confidentiality.

Mitigation and Recommendation Strategies

F5 has provided detailed mitigation strategies for the identified vulnerabilities, helping organizations take immediate action to reduce the risk of exploitation:

1. Mitigation for zlib Vulnerabilities: F5 recommends disabling HTTP compression on affected systems, specifically in BIG-IP products. Disabling compression in Compression Profiles and iRules can help mitigate the exposure to these DoS and buffer overflow vulnerabilities. Additionally, users should ensure that they are running the latest security patches for the zlib library.
2. Mitigation for Apache Tomcat Vulnerability: To address the session fixation vulnerability, F5 advises restricting access to the Configuration utility to trusted networks or devices. Hardening access control configurations can prevent unauthorized access and minimize the likelihood of session hijacking attacks.
3. Mitigation for MiniZip Vulnerability: F5 recommends upgrading to the latest version of the affected software. If upgrading is not immediately feasible, disabling specific compression functionalities can reduce exposure. Updating to the latest version will ensure that the buffer overflow vulnerability in MiniZip is patched.
4. Mitigation for Tcpdump Vulnerability: To address the DoS vulnerability in Tcpdump, F5 suggests updating to a patched version of Tcpdump and applying network filtering and segmentation to reduce the risk. Proper memory management settings can also help mitigate the impact of this flaw.

Conclusion

The vulnerabilities in F5 products detailed in CIVN-2025-0035 pose cyber risks to organizations that rely on these systems for critical network performance and security. These flaws—ranging from denial-of-service vulnerabilities to buffer overflows and session hijacking—highlight the importance of regular software updates and vulnerability management. Failure to address these risks could result in unauthorized access, system downtime, and data breaches, causing both operational and reputational damage.

By following the mitigation strategies outlined in the advisory and applying the appropriate patches, F5 customers can protect their systems from exploitation. IT departments and network administrators must prioritize patching and adopting the best security practices to protect their infrastructure against these critical vulnerabilities.

References

• https://www.cert-in.org.in/
• https://nvd.nist.gov/vuln/detail/CVE-2016-9840
• https://nvd.nist.gov/vuln/detail/CVE-2016-9841
• https://nvd.nist.gov/vuln/detail/CVE-2019-17563
• https://nvd.nist.gov/vuln/detail/CVE-2023-45853
• https://nvd.nist.gov/vuln/detail/CVE-2020-8037
• https://my.f5.com/manage/s/article/K000149929
• https://my.f5.com/manage/s/article/K000149884
• https://my.f5.com/manage/s/article/K24551552
• https://my.f5.com/manage/s/article/K000149905

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.