CVE-2025-47148

🔶 medium

Summary

When the BIG-IP system is configured as both a Security Assertion Markup Language (SAML) service provider (SP) and Identity Provider (IdP), with single logout (SLO) enabled on an access policy, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Score

6.5

Medium

EPSS Score

0.1

Exploit Probability

Published Date

2025-10-15

First Seen: 2026-01-05

📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 47.9% of all 317,883 vulnerabilities in our database.

#165,618

Below average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: Oct 15, 2025

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

Requires human interaction

💥 Technical Impact

Partial

Limited system impact

🏆 Discovered By

SSVC data provided by CISA

Last Modified 2025-10-21

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE IDs (Weakness Types)

CWE-404

📦 Affected Products 8

Vendor	Product	Status	Affected Versions
f5	big-ip_access_policy_manager	Affected	≥ 15.1.0 < 15.1.10.8
f5	big-ip_access_policy_manager	Affected	≥ 16.1.0 < 16.1.6.1
f5	big-ip_access_policy_manager	Affected	≥ 17.1.0 < 17.1.3
f5	big-ip_access_policy_manager	Affected	v17.5.0
f5	big-ip_ssl_orchestrator	Affected	≥ 15.1.0 < 15.1.10.8
f5	big-ip_ssl_orchestrator	Affected	≥ 16.1.0 < 16.1.6.1
f5	big-ip_ssl_orchestrator	Affected	≥ 17.1.0 < 17.1.3
f5	big-ip_ssl_orchestrator	Affected	v17.5.0

🔗 References 1

https://my.f5.com/manage/s/article/K000148816

Vendor Advisory

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-20730	ℹ️ low	3.3	0.0	A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access ...	2026-02-04
CVE-2026-20732	ℹ️ low	3.1	0.1	A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error mes...	2026-02-04
CVE-2025-46706	⚠️ high	7.5	0.1	When an iRule containing the HTTP::respond command is configured on a virtual server, undisclosed requests can cause an ...	2025-10-15
CVE-2025-48008	⚠️ high	7.5	0.1	When a TCP profile with Multipath TCP (MPTCP) enabled is configured on a virtual server, undisclosed traffic along with ...	2025-10-15
CVE-2025-53474	⚠️ high	7.5	0.1	When an iRule using an ILX::call command is configured on a virtual server, undisclosed traffic can cause the Traffic M...	2025-10-15
CVE-2025-53521	⚠️ high	7.5	0.1	When a BIG-IP APM Access Policy is configured on a virtual server, undisclosed traffic can cause TMM to terminate. ...	2025-10-15

These CVEs affect the same products