CVE-2024-21771 Overview
CVE-2024-21771 is a denial-of-service vulnerability in the F5 BIG-IP Advanced Firewall Manager (AFM) Intrusion Prevention System (IPS) engine. For unspecified traffic patterns, the IPS engine spends excessive time matching traffic against signatures. This behavior triggers the Traffic Management Microkernel (TMM) to restart and disrupts traffic flow.
The vulnerability is classified under [CWE-770] (Allocation of Resources Without Limits or Throttling). Remote attackers can exploit this issue over the network without authentication or user interaction. F5 has not evaluated software versions that have reached End of Technical Support (EoTS).
Critical Impact
Remote, unauthenticated attackers can crash the TMM process on BIG-IP AFM appliances, causing repeated traffic disruption and effective denial of service on perimeter firewall infrastructure.
Affected Products
- F5 BIG-IP Advanced Firewall Manager (AFM) — versions prior to vendor fix
- F5 BIG-IP Advanced Firewall Manager (AFM) 17.1.0
- Deployments running the AFM IPS engine with signature matching enabled
Discovery Timeline
- 2024-02-14 - CVE-2024-21771 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-21771
Vulnerability Analysis
The flaw resides in the IPS signature matching engine of BIG-IP AFM. When specific traffic patterns reach the device, the engine consumes excessive CPU cycles attempting to match the data against its signature set. The prolonged processing exhausts resources allocated to the Traffic Management Microkernel.
When TMM exceeds its execution budget, the watchdog terminates and restarts the process. TMM handles all data-plane traffic on BIG-IP, so each restart drops active connections and interrupts traffic forwarding. Repeated triggering produces sustained denial of service.
The issue affects availability only. Confidentiality and integrity are not impacted, since the engine does not leak data or permit code execution.
Root Cause
The root cause is uncontrolled resource consumption [CWE-770] within the AFM IPS engine. The signature matching logic lacks adequate time or complexity bounds for certain input patterns. F5 has not publicly disclosed the specific traffic patterns or signature combinations that trigger the condition.
Attack Vector
Attackers exploit this issue remotely by sending crafted traffic through a BIG-IP device with AFM IPS protection enabled. No authentication or user interaction is required. The attack targets the data plane rather than the management interface, so any network path that reaches the protected virtual servers is sufficient.
No public proof-of-concept code or exploit modules are listed in the enriched data. F5 has not reported exploitation in the wild, and CISA has not added the CVE to the Known Exploited Vulnerabilities catalog. The current EPSS probability is 0.515%.
Detection Methods for CVE-2024-21771
Indicators of Compromise
- Repeated TMM restart events in /var/log/ltm or /var/log/tmm referencing watchdog timeouts or core dumps
- Sudden drops in active connection counts on BIG-IP virtual servers correlated with AFM IPS activity
- High CPU utilization on TMM cores during sustained inbound traffic against a virtual server with IPS policies attached
- SNMP traps or iHealth alerts indicating TMM process failures
Detection Strategies
- Monitor BIG-IP system logs for tmm segfaults, tmm restarted messages, and core file generation in /var/savecore
- Correlate AFM IPS engine logs with TMM restart timestamps to identify traffic flows preceding each crash
- Forward BIG-IP syslog to a centralized analytics platform and alert on TMM restart frequency exceeding baseline
Monitoring Recommendations
- Track TMM uptime and restart counters using F5 iHealth or tmsh show sys proc-info tmm
- Capture packet samples on virtual servers experiencing repeated TMM resets for forensic review
- Alert when AFM IPS signature matching CPU time per flow exceeds expected thresholds
How to Mitigate CVE-2024-21771
Immediate Actions Required
- Apply the F5 engineering hotfix or upgrade to a fixed BIG-IP AFM version as documented in F5 Support Article K000137595
- Inventory all BIG-IP devices running AFM with IPS signature matching enabled and confirm version status
- Restrict network exposure of affected virtual servers until patching is complete
- Enable centralized log forwarding to capture TMM restart events for incident review
Patch Information
F5 provides remediation guidance and fixed software versions in F5 Support Article K000137595. Versions that have reached End of Technical Support are not evaluated and should be upgraded to a supported, patched release. Review the advisory for the exact fixed build numbers that apply to your deployment.
Workarounds
- Disable the AFM IPS policy on affected virtual servers if business requirements allow, until the patch is applied
- Apply upstream rate limiting or access control lists to reduce exposure to untrusted sources
- Use BIG-IP iRules or AFM rules to drop traffic patterns associated with observed TMM restarts
- Enable high-availability failover monitoring so peer devices absorb traffic during TMM restart events
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

