CVE-2025-53856

15.10.2025, 14:15

When a virtual server, network address translation (NAT) object, or secure network address translation (SNAT) object uses the embedded Packet Velocity Acceleration (ePVA) feature, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. To determine which BIG-IP platforms have an ePVA chip refer to  K12837: Overview of the ePVA feature https://my.f5.com/manage/s/article/K12837 . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
f5	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Vendor	Product	Version
f5	big-ip_access_policy_manager	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_advanced_firewall_manager	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_advanced_web_application_firewall	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_analytics	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_application_acceleration_manager	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_application_security_manager	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_application_visibility_and_reporting	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_automation_toolchain	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_carrier-grade_nat	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_container_ingress_services	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_ddos_hybrid_defender	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_domain_name_system	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_edge_gateway	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_fraud_protection_service	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_global_traffic_manager	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_link_controller	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_local_traffic_manager	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_policy_enforcement_manager	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_ssl_orchestrator	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_webaccelerator	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_websafe	15.1.0 ≤ 𝑥 < 15.1.10.8
f5	big-ip_access_policy_manager	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_advanced_firewall_manager	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_advanced_web_application_firewall	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_analytics	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_application_acceleration_manager	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_application_security_manager	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_application_visibility_and_reporting	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_automation_toolchain	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_carrier-grade_nat	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_container_ingress_services	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_ddos_hybrid_defender	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_domain_name_system	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_edge_gateway	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_fraud_protection_service	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_global_traffic_manager	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_link_controller	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_local_traffic_manager	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_policy_enforcement_manager	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_ssl_orchestrator	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_webaccelerator	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_websafe	16.1.0 ≤ 𝑥 < 16.1.6.1
f5	big-ip_access_policy_manager	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_access_policy_manager	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_advanced_firewall_manager	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_advanced_firewall_manager	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_advanced_web_application_firewall	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_advanced_web_application_firewall	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_analytics	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_analytics	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_application_acceleration_manager	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_application_acceleration_manager	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_application_security_manager	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_application_security_manager	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_application_visibility_and_reporting	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_application_visibility_and_reporting	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_automation_toolchain	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_automation_toolchain	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_carrier-grade_nat	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_carrier-grade_nat	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_container_ingress_services	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_container_ingress_services	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_ddos_hybrid_defender	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_ddos_hybrid_defender	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_domain_name_system	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_domain_name_system	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_edge_gateway	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_edge_gateway	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_fraud_protection_service	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_fraud_protection_service	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_global_traffic_manager	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_link_controller	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_link_controller	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_local_traffic_manager	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_local_traffic_manager	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_policy_enforcement_manager	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_policy_enforcement_manager	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_ssl_orchestrator	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_ssl_orchestrator	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_webaccelerator	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_webaccelerator	17.5.0 ≤ 𝑥 ≤ 17.5.1
f5	big-ip_websafe	17.1.0 ≤ 𝑥 < 17.1.3
f5	big-ip_websafe	17.5.0 ≤ 𝑥 ≤ 17.5.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-705 - Incorrect Control Flow Scoping
The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

References

https://my.f5.com/manage/s/article/K000156707