Undisclosed traffic sent to the BIG‑IP Configuration utility while LDAP authentication is enabled can exhaust the file descriptor pool used by the httpd service. The resulting resource exhaustion prevents the web server from accepting new connections, causing a service outage for management traffic. This vulnerability is an instance of improper resource release (CWE‑772).

The flaw affects F5 BIG‑IP systems that use LDAP authentication for the Configuration utility. No specific version range is listed in the advisory; consequently, all supported releases that employ LDAP authentication may be vulnerable. The vendor states that end‑of‑technical‑support releases are not evaluated.

The high CVSS score (8.7) reflects significant impact and substantial privileges required: the attacker must be able to send traffic to the httpd process, likely from outside the device. Because no EPSS data is available and the vulnerability is not listed in CISA KEV, the probability of active exploitation is unknown but could be increased in environments where the management interface is exposed. Exploitation proceeds by generating sufficient requests that trigger file‑descriptor allocation until the pool is exhausted, leading to a denial of service for all management sessions. The attack vector is inferred to be remote traffic aimed at the management endpoints of BIG‑IP.