CVE-2022-25946

Name: CVE-2022-25946
Creator: NVD / NIST
Published: 2022-05-05T17:15:11.017+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 0.37%

Last modified Jun 17, 2026

CVE-2022-25946 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker with Administrator role privilege may be able to bypass Appliance mode restrictions due to a missing integrity check in F5 BIG-IP Guided Configuration. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. EPSS estimates a 0.37% chance of exploitation in the next 30 days.

Description

On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker with Administrator role privilege may be able to bypass Appliance mode restrictions due to a missing integrity check in F5 BIG-IP Guided Configuration. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS Probability

0.37%

29.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-354

Affected Software

Vendor	Product	Versions
F5	Big-Ip Access Policy Manager	13.1.0
F5	Big-Ip Access Policy Manager	13.1.1
F5	Big-Ip Access Policy Manager	13.1.3
F5	Big-Ip Access Policy Manager	13.1.4
F5	Big-Ip Access Policy Manager	13.1.5
F5	Big-Ip Access Policy Manager	14.1.0
F5	Big-Ip Access Policy Manager	14.1.2
F5	Big-Ip Access Policy Manager	14.1.3
F5	Big-Ip Access Policy Manager	14.1.4
F5	Big-Ip Access Policy Manager	15.1.0
F5	Big-Ip Access Policy Manager	15.1.1
F5	Big-Ip Access Policy Manager	15.1.2
F5	Big-Ip Access Policy Manager	15.1.3
F5	Big-Ip Access Policy Manager	15.1.4
F5	Big-Ip Access Policy Manager	15.1.5
F5	Big-Ip Access Policy Manager	16.1.0
F5	Big-Ip Access Policy Manager	16.1.1
F5	Big-Ip Access Policy Manager	16.1.2
F5	Big-Ip Advanced Web Application Firewall	13.1.0
F5	Big-Ip Advanced Web Application Firewall	13.1.1
F5	Big-Ip Advanced Web Application Firewall	13.1.3
F5	Big-Ip Advanced Web Application Firewall	13.1.4
F5	Big-Ip Advanced Web Application Firewall	13.1.5
F5	Big-Ip Advanced Web Application Firewall	14.1.0
F5	Big-Ip Advanced Web Application Firewall	14.1.2
F5	Big-Ip Advanced Web Application Firewall	14.1.3
F5	Big-Ip Advanced Web Application Firewall	14.1.4
F5	Big-Ip Advanced Web Application Firewall	15.1.0
F5	Big-Ip Advanced Web Application Firewall	15.1.1
F5	Big-Ip Advanced Web Application Firewall	15.1.2
F5	Big-Ip Advanced Web Application Firewall	15.1.3
F5	Big-Ip Advanced Web Application Firewall	15.1.4
F5	Big-Ip Advanced Web Application Firewall	15.1.5
F5	Big-Ip Advanced Web Application Firewall	16.1.0
F5	Big-Ip Advanced Web Application Firewall	16.1.1
F5	Big-Ip Advanced Web Application Firewall	16.1.2
F5	Big-Ip Application Security Manager	13.1.0
F5	Big-Ip Application Security Manager	13.1.1
F5	Big-Ip Application Security Manager	13.1.3
F5	Big-Ip Application Security Manager	13.1.4
F5	Big-Ip Application Security Manager	13.1.5
F5	Big-Ip Application Security Manager	14.1.0
F5	Big-Ip Application Security Manager	14.1.2
F5	Big-Ip Application Security Manager	14.1.3
F5	Big-Ip Application Security Manager	14.1.4
F5	Big-Ip Application Security Manager	15.1.0
F5	Big-Ip Application Security Manager	15.1.1
F5	Big-Ip Application Security Manager	15.1.2
F5	Big-Ip Application Security Manager	15.1.3
F5	Big-Ip Application Security Manager	15.1.4

Showing 50 of 55 affected configurations. See NVD for the full list.

References

https://support.f5.com/csp/article/K52322100Vendor Advisory
https://support.f5.com/csp/article/K52322100Vendor Advisory

Timeline

Published: May 5, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-25946?

How severe is CVE-2022-25946?

CVE-2022-25946 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.37% probability of exploitation in the next 30 days.

How do I fix CVE-2022-25946?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-25946?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST