F5 BIG-IP SAML Spoofing Vulnerability

MEDIUM (6.5) No Patch (66 days)

cwe-404 big-ip f5 idp saml single-logout sp vulnerability web-server

Threat Intelligence

Low Risk

EPSS Score: 0.10% chance of exploitation (percentile: 28%)

🔍 Detection Tools: None available in major open-source tools

⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The F5 BIG-IP system is a high-performance web server and application delivery controller used by many organizations for secure and scalable internet traffic management. When configured as both a Security Assertion Markup Language (SAML) service provider (SP) and Identity Provider (IdP), with single logout (SLO) enabled on an access policy, the BIG-IP system can be exploited to increase memory resource utilization through undisclosed requests.

Am I affected?

You're affected if you use F5 BIG-IP versions 11.6.0 to 12.1.4 and later software releases that have reached End of Technical Support (EoTS). Check with: bigip-config show | grep saml or bigip-config show | grep single-logout

Note: This vulnerability is specific to F5 BIG-IP systems, not other web servers like Apache HTTPD.

Affected Products

F5 Networks / BIG-IP

How to fix

Upgrade to a version that has reached End of Technical Support (EoTS) or later.
Immediate mitigations:
Restrict network access to your BIG-IP instance (firewall it from the public internet)
Audit admin account activity for suspicious access patterns
Monitor for unauthorized token creation

References

Vendor Advisory