CVE-2021-22984

On BIG-IP Advanced WAF and ASM version 15.1.x before 15.1.0.2, 15.0.x before 15.0.1.4, 14.1.x before 14.1.2.5, 13.1.x before 13.1.3.4, 12.1.x before 12.1.5.2, and 11.6.x before 11.6.5.2, when receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM...

CVE-2025-58474

When BIG-IP Advanced WAF is configured on a virtual server with Server-Side Request Forgery SSRF protection or when an NGINX server is configured with App Protect Bot Defense, undisclosed requests can disrupt new client requests. Note: Software versions which have reached End of Technical Support...

CVE-2025-58474

CVE-2025-58474 affects BIG-IP BIG-IP Advanced WAF/ASM and NGINX App Protect DNS lookup vulnerability. When BIG-IP Advanced WAF is on a virtual server with SSRF protection or NGINX App Protect Bot Defense is used, undisclosed requests can disrupt new client requests, enabling potential DoS on the ...

Agentic AI Is Here — and It’s Shaping the Future of Bot Defense

...

CVE-2024-23805

Summary (CVE-2024-23805) : This vulnerability affects F5 BIG-IP products, notably the Application Visibility and Reporting module and BIG-IP Advanced WAF/ASM. It arises when an HTTP Analytics profile with URLs enabled is configured on a virtual server and the database variables avr.IncludeServerI...

F5 Networks BIG-IP : F5 Application Visibility and Reporting module and BIG-IP Advanced WAF/ASM vulnerability (K000137334)

The version of F5 Networks BIG-IP installed on the remote host is prior to 15.1.10 / 16.1.4 / 17.1.1. It is, therefore, affected by a vulnerability as referenced in the K000137334 advisory. - Undisclosed requests can cause the Traffic Management Microkernel TMM to terminate. For the Application...

What Else Can You Do to Defend Against Bots?

...

K38157961: BIG-IP ASM Bot Defense may fail to block malicious requests when both the Bot Defense profile and DoS profile are associated with a virtual server

Security Advisory Description The BIG-IP ASM Bot Defense profile may unexpectedly fail to block malicious requests. This issue occurs when the following condition is met: The affected virtual server is associated with the following: A security policy A DoS profile configured with either TPS-based...

K33440533: BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984

Security Advisory Description When receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM virtual server configured with a DoS profile with Proactive Bot Defense versions prior to 14.1.0, or a Bot Defense profile versions 14.1.0 and later, may...

K45143221: BIG-IP AVRD vulnerability CVE-2020-27728

Security Advisory Description Under certain conditions, Analytics, Visibility, and Reporting daemon AVRD may generate a core file and restart on the BIG-IP system when processing requests sent from mobile devices. CVE-2020-27728 Impact This may allow an attacker to initiate a denial-of-service Do...

CVE-2021-22984

On BIG-IP Advanced WAF and ASM version 15.1.x before 15.1.0.2, 15.0.x before 15.0.1.4, 14.1.x before 14.1.2.5, 13.1.x before 13.1.3.4, 12.1.x before 12.1.5.2, and 11.6.x before 11.6.5.2, when receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM...

CVE-2021-22984

CVE-2021-22984 affects F5 BIG-IP ASM/Advanced WAF Bot Defense open redirection. Affected: BIG-IP with Bot Defense or DoS profiles may redirect unauthenticated requests to a malicious URI, producing HTTP 307 redirects. Impact: potential phishing or credential theft through unexpected redirects. Af...

F5 Networks BIG-IP : BIG-IP ASM Bot Defense open redirection vulnerability (K33440533)

When receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM virtual server configured with a DoS profile with Proactive Bot Defense versions prior to 14.1.0, or a Bot Defense profile versions 14.1.0 and later, may subject clients and web servers to...

Securing Social / Locking Login / Armoring Authentication

Authentication might be the single biggest hazard for web security over the next decade. It's not that the fundamentals of authentication are particularly challenging; we've understood the basic principles behind password management, push-based authorization, and device certificates for some time...