CVE-2026-2507

When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

CVE-2025-58474 BIG-IP Advanced WAF and ASM and NGINX App Protect DNS lookup vulnerability

When BIG-IP Advanced WAF is configured on a virtual server with Server-Side Request Forgery SSRF protection or when an NGINX server is configured with App Protect Bot Defense, undisclosed requests can disrupt new client requests. Note: Software versions which have reached End of Technical Support...

K000152341: BIG-IP AFM DoS protection profile vulnerability CVE-2025-59478

Security Advisory Description When a BIG-IP AFM denial-of-service DoS protection profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel TMM to terminate. CVE-2025-59478 Impact Traffic is disrupted while the TMM process restarts. This...

CVE-2025-24312

When BIG-IP AFM is provisioned with IPS module enabled and protocol inspection profile is configured on a virtual server or firewall rule or policy, undisclosed traffic can cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support EoTS are...

PT-2024-19045 · F5 · Big-Ip Afm

Name of the Vulnerable Software and Affected Versions: BIG-IP AFM affected versions not specified Description: The BIG-IP AFM IPS engine may spend an excessive amount of time matching unspecified traffic patterns against signatures, resulting in Traffic Management Microkernel TMM restarting and...

CVE-2022-41806

In versions 16.1.x before 16.1.3.2 and 15.1.x before 15.1.5.1, when BIG-IP AFM Network Address Translation policy with IPv6/IPv4 translation rules is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization...

CVE-2021-23028

On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, and 13.1.x before 13.1.4, when JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall WAF/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests m...

CVE-2021-23040

On BIG-IP AFM version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. This issue is exposed only when BIG-IP AFM is provisione...

The vulnerability of the is_hdr_criteria_matches function in the BIG-IP Advanced Web Application Firewall (AWAF) virtual server allows a attacker to cause a service failure or execute arbitrary code.

The vulnerability of the ishdrcriteriamatches function in the BIG-IP Advanced Web Application Firewall AWAF virtual server lies in the execution of operations outside the buffer in memory. Exploiting this vulnerability can allow a malicious actor to cause service failures or execute arbitrary cod...

F5 BIG-IP AFM Memory Leak Vulnerability

F5 BIG-IP AFM is an advanced firewall product from F5 USA for protection against DDos attacks. A memory leak vulnerability exists in the BIG-IP AFM HTTP version 13.1.3.4, which stems from a traffic management microkernel TMM leaking memory when a security profile is applied to a virtual server, a...