CVE-2025-21091: 
F5 BIG-IP Virtual Edition (tier - best) vulnerability analysis and mitigation

CVE-2025-21091 is a vulnerability affecting BIG-IP systems when SNMP v1 or v2c are disabled. The vulnerability was discovered and disclosed on February 5, 2025, affecting multiple versions of BIG-IP including versions 17.1.0-17.1.1, 16.1.0-16.1.5, and 15.1.0-15.1.10 (NVD, F5 Advisory).

The vulnerability has been classified as CWE-401: Missing Release of Memory after Effective Lifetime. It received a CVSS v3.1 base score of 7.5 (High) and a CVSS v4.0 score of 8.7 (High). The issue affects the snmpd component of BIG-IP systems and occurs when SNMP v1 or v2c are disabled, allowing undisclosed requests to cause an increase in memory resource utilization (F5 Advisory).

When exploited, this vulnerability can cause system performance degradation until the snmpd process is either forced to restart or is manually restarted. As a control plane issue, it may impact traffic handling on the data plane, potentially leading to a denial-of-service (DoS) condition on the BIG-IP system (F5 Advisory).

F5 has released fixes in version 17.1.2 for the 17.x branch, hotfix Hotfix-BIGIP-16.1.5.2.0.7.5-ENG.iso for the 16.x branch, and hotfix Hotfix-BIGIP-15.1.10.6.0.11.6-ENG.iso for the 15.x branch. As a workaround, users can re-enable SNMP on the BIG-IP system. Additionally, F5 recommends configuring BIG-IP systems with high availability (HA) to lessen the impact of the vulnerability (F5 Advisory).