CVE-2025-47148

MEDIUM

F5 Big-ip Access Policy Manager - Improper Resource Release

Title source: rule

Description

When the BIG-IP system is configured as both a Security Assertion Markup Language (SAML) service provider (SP) and Identity Provider (IdP), with single logout (SLO) enabled on an access policy, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References (1)

[Vendor Advisory] https://my.f5.com/manage/s/article/K000148816

Scores

CVSS v3 6.5

EPSS 0.0008

EPSS Percentile 24.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-404

Status published

Products (4)

f5/big-ip_access_policy_manager 17.5.0

f5/big-ip_access_policy_manager 15.1.0 - 15.1.10.8

f5/big-ip_ssl_orchestrator 17.5.0

f5/big-ip_ssl_orchestrator 15.1.0 - 15.1.10.8

Published Oct 15, 2025

Tracked Since Feb 18, 2026