CVE-2025-61933: 
F5 BIG-IP Virtual Edition (tier - best) vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability (CVE-2025-61933) exists in an undisclosed page of BIG-IP APM that allows an attacker to run JavaScript in the context of the targeted logged-out user. The vulnerability was disclosed on October 15, 2025, affecting multiple versions of F5's BIG-IP Access Policy Manager (APM) including versions 16.1.0-16.1.6.1, 17.1.0-17.1.3, 17.5.0-17.5.1.3, and 15.1.0-15.1.10.8 (NVD).

The vulnerability has been assigned a CVSS v4.0 base score of 5.1 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N and CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

If exploited, this vulnerability allows attackers to execute JavaScript code in the context of logged-out users accessing the affected BIG-IP APM page. The impact is considered medium severity with low confidentiality and integrity impact, while having no direct impact on system availability (NVD).

F5 has released patches for affected versions and strongly urges customers to update their BIG-IP software as soon as possible. This recommendation comes as part of F5's October 2025 Quarterly Security Notification and in response to a related security incident. CISA has also issued Emergency Directive 26-01 requiring federal agencies to patch affected systems by October 22, 2025 (Tenable Blog).

The vulnerability disclosure coincides with F5's announcement of a security incident involving a nation-state actor who gained access to their systems and obtained BIG-IP source code. This has elevated the urgency of patching this and other vulnerabilities, leading to CISA issuing Emergency Directive 26-01 for federal agencies (Lansweeper Blog).