F5 Networks disclosed CVE-2025-54500, a critical HTTP/2 vulnerability dubbed *MadeYouReset Attack* in its BIG-IP products, enabling remote, unauthenticated attackers to exploit malformed HTTP/2 control frames. The flaw (classified under CWE-770) bypasses protocol safeguards, causing CPU exhaustion and denial-of-service (DoS) on affected systems. While the issue is confined to the data plane (no control plane compromise), it disrupts corporate networks by overwhelming resources. Vulnerable versions span BIG-IP 15.x–17.x and BIG-IP Next (20.3.0+), with hotfixes released but not fully QA-tested. Mitigations include disabling HTTP/2 or deploying ASM/Advanced WAF DoS profiles. The attack requires no authentication, amplifying risk for unpatched systems. F5 credited researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel for responsible disclosure.
Source: https://cybersecuritynews.com/f5-fixes-http-2-vulnerability/
TPRM report: https://www.rankiteo.com/company/f5
"id": "f5636081725",
"linkid": "f5",
"type": "Vulnerability",
"date": "6/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Networking and Cybersecurity',
'location': 'Seattle, Washington, USA',
'name': 'F5 Networks',
'type': 'Technology Company'},
{'location': 'Global',
'name': 'Organizations using vulnerable F5 BIG-IP '
'products',
'type': ['Enterprises', 'Service Providers']}],
'attack_vector': ['Network', 'HTTP/2 Protocol Exploit'],
'customer_advisories': ['Disable HTTP/2 if possible',
'Apply hotfixes for affected versions',
'Monitor for exploitation indicators'],
'date_publicly_disclosed': '2025-08-13',
'description': 'F5 Networks disclosed a new HTTP/2 vulnerability '
"(CVE-2025-54500), dubbed the 'HTTP/2 MadeYouReset Attack,' "
'affecting multiple BIG-IP products. The flaw allows remote '
'attackers to launch denial-of-service (DoS) attacks by '
'exploiting malformed HTTP/2 control frames to overwhelm '
'systems, causing CPU exhaustion. The vulnerability is '
'classified under CWE-770 (Allocation of Resources Without '
'Limits or Throttling) and has a medium severity rating with '
'CVSS scores of 5.3 (v3.1) and 6.9 (v4.0). It affects the data '
'plane only, with no control plane compromise. F5 has released '
'engineering hotfixes and recommended mitigations, including '
'disabling HTTP/2 or implementing BIG-IP ASM/Advanced WAF DoS '
'protection profiles.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'service disruptions',
'downtime': {'cause': 'CPU resource exhaustion due to malformed '
'HTTP/2 control frames',
'scope': 'Potential complete system unavailability',
'type': 'Denial-of-Service (DoS)'},
'operational_impact': 'Disruption of corporate network services '
'relying on affected BIG-IP products',
'systems_affected': [{'product': 'BIG-IP',
'versions': ['17.x (17.5.0–17.5.1, '
'17.1.0–17.1.2)',
'16.x (16.1.0–16.1.6)',
'15.x (15.1.0–15.1.10)']},
{'product': 'BIG-IP Next',
'versions': ['20.3.0',
'SPK/CNF/K8s implementations']},
{'condition': 'HTTP/2-enabled proxy '
'configurations',
'product': 'F5 Silverline'}]},
'investigation_status': 'Ongoing (mitigations and patches released)',
'lessons_learned': ['Importance of protocol-level safeguards against resource '
'exhaustion attacks',
'Need for thorough testing of HTTP/2 implementations in '
'networking devices',
'Value of proactive monitoring for anomalous protocol '
'behavior'],
'post_incident_analysis': {'corrective_actions': ['Release of engineering '
'hotfixes to address the '
'HTTP/2 handling flaw',
'Guidance to disable HTTP/2 '
'or implement WAF-based '
'mitigations',
'Enhanced monitoring '
'recommendations for HTTP/2 '
'protocol abuse'],
'root_causes': ['Improper handling of malformed '
'HTTP/2 control frames in F5 '
'BIG-IP products',
'Lack of effective throttling for '
'concurrent HTTP/2 streams '
'(CWE-770)',
'Data plane vulnerability allowing '
'CPU resource exhaustion']},
'recommendations': ['Immediately apply F5-provided hotfixes for affected '
'BIG-IP versions',
'Disable HTTP/2 protocol where feasible, reverting to '
'HTTP/1.1',
'Implement BIG-IP ASM/Advanced WAF DoS protection '
'profiles with Behavioral DoS Detection',
'Monitor HTTP/2 profile statistics for signs of '
'exploitation (e.g., unusual RST_STREAM/WINDOW_UPDATE '
'frames)',
'For BIG-IP Next SPK/CNF/K8s, delete the '
'F5SPKIngressHTTP2 Custom Resource if possible',
'Prioritize patching in environments where HTTP/2 cannot '
'be disabled'],
'references': [{'source': 'F5 Security Advisory'},
{'source': 'CVE-2025-54500 Details'},
{'source': 'Research by Gal Bar Nahum, Anat Bremler-Barr, and '
'Yaniv Harel'}],
'response': {'adaptive_behavioral_waf': 'Recommended use of BIG-IP '
'ASM/Advanced WAF DoS protection '
'profiles with TPS and stress-based '
'attributes',
'communication_strategy': {'advisories': ['F5 security advisory '
'with mitigation '
'guidance',
'Recommendations for '
'monitoring and '
'patching'],
'public_disclosure': '2025-08-13 '
'(initial), '
'2025-08-15 '
'(updates)'},
'containment_measures': ['Disabling HTTP/2 protocol where '
'feasible',
'Monitoring HTTP/2 profile statistics '
'for anomalous RST_STREAM and '
'WINDOW_UPDATE frames'],
'enhanced_monitoring': 'Monitoring HTTP/2 profile statistics for '
'exploitation indicators (e.g., high '
'RST_STREAM/WINDOW_UPDATE frames)',
'incident_response_plan_activated': True,
'remediation_measures': ['Applying engineering hotfixes (e.g., '
'Hotfix-BIGIP-17.5.1.0.80.7-ENG.iso, '
'Hotfix-BIGIP-16.1.6.0.27.3-ENG.iso)',
'Deleting F5SPKIngressHTTP2 Custom '
'Resource for BIG-IP Next SPK/CNF/K8s '
'deployments']},
'stakeholder_advisories': 'F5 recommends immediate action for affected '
'customers; engineering hotfixes provided with '
'acknowledgment of limited QA testing',
'title': 'F5 Networks HTTP/2 MadeYouReset Attack (CVE-2025-54500)',
'type': ['Denial-of-Service (DoS)', 'Vulnerability Exploitation'],
'vulnerability_exploited': {'affected_versions': [{'product': 'BIG-IP',
'versions': ['17.x '
'(17.5.0–17.5.1, '
'17.1.0–17.1.2)',
'16.x '
'(16.1.0–16.1.6)',
'15.x '
'(15.1.0–15.1.10)']},
{'product': 'BIG-IP Next',
'versions': ['20.3.0',
'SPK/CNF/K8s '
'implementations']},
{'condition': 'HTTP/2-enabled '
'proxy '
'configurations',
'product': 'F5 '
'Silverline'}],
'cve_id': 'CVE-2025-54500',
'cvss_v3.1': 5.3,
'cvss_v4.0': 6.9,
'cwe_id': 'CWE-770',
'cwe_name': 'Allocation of Resources Without '
'Limits or Throttling',
'description': 'Malformed HTTP/2 control frames '
'exploit to bypass concurrent '
'streams limit, causing CPU '
'exhaustion and DoS.',
'f5_internal_ids': ['1937817 (BIG-IP)',
'1937817-5 (BIG-IP Next)',
'1937817-6 (Next '
'SPK/CNF/K8s)'],
'name': 'HTTP/2 MadeYouReset Attack',
'severity': 'Medium',
'unaffected_products': ['BIG-IQ Centralized '
'Management',
'F5 Distributed Cloud '
'services',
'NGINX products',
'F5OS systems',
'F5 AI Gateway']}}