Introduction - Engaging opening that highlights real impact and significance
Sudden outages in authentication infrastructure can disrupt thousands of users and halt access to critical business applications. F5 BIG-IP Access Policy Manager (APM) is widely deployed in enterprise environments for identity and access management, making vulnerabilities in its core processes highly impactful.
F5 Networks is a leading provider in the application delivery and security market, with BIG-IP as its flagship platform. BIG-IP APM is used by enterprises globally to enforce authentication, authorization, and secure access policies for web and network applications. Its OAuth capabilities are central to modern zero trust and federated identity architectures.
Technical Information
CVE-2025-54854 is an out-of-bounds read vulnerability (CWE-125) in the F5 BIG-IP APM module when configured with OAuth access profiles as either Resource Server or Resource Client. When a virtual server is configured with these profiles, certain undisclosed traffic patterns can cause the apmd process to terminate unexpectedly. This results in denial of service for all active sessions managed by the affected process.
The vulnerability is triggered by insufficient validation of input data during the processing of OAuth protocol messages. Specifically, the flaw allows remote, unauthenticated attackers to send crafted traffic that causes the process to read memory outside the bounds of allocated buffers. This leads to a crash of the apmd process, disrupting authentication and access management operations.
The issue is confined to the data plane and does not impact the control plane or management interfaces. No public exploit code or detailed triggering conditions have been disclosed by F5. The vendor has not provided vulnerable code snippets or technical diagrams in public sources.
Affected Systems and Versions (MUST BE SPECIFIC)
The following F5 BIG-IP versions are affected when configured with APM OAuth access profiles (Resource Server or Resource Client) attached to virtual servers:
- BIG-IP 17.1.0 through 17.1.2
- BIG-IP 17.5.0 through 17.5.1
- BIG-IP 16.1.0 through 16.1.6
Only systems with the APM module licensed and OAuth profiles configured in Resource Server or Resource Client mode are vulnerable. Other configurations are not affected.
Vendor Security History (only if specific information available)
F5 Networks has previously addressed memory safety and protocol parsing vulnerabilities in BIG-IP APM. The company issues quarterly security notifications and maintains a transparent product lifecycle policy. Patch response times are generally prompt, with detailed advisories and version-specific guidance. No public exploit or patch was available for CVE-2025-54854 at the time of the advisory.