A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-39778

CVE-2024-39778: F5 BIG-IP Access Policy Manager DoS Flaw

CVE-2024-39778 is a denial of service vulnerability in F5 BIG-IP Access Policy Manager affecting systems with stateless virtual servers and High-Speed Bridge. This post covers technical details, affected versions, and mitigations.

Published: June 2, 2026

CVE-2024-39778 Overview

CVE-2024-39778 is a denial-of-service vulnerability in F5 BIG-IP systems configured with a stateless virtual server on hardware platforms using a High-Speed Bridge (HSB). Undisclosed requests sent to the affected virtual server can cause the Traffic Management Microkernel (TMM) to terminate, interrupting traffic processing across the device. The flaw affects multiple BIG-IP modules including Local Traffic Manager (LTM), Advanced Firewall Manager (AFM), Access Policy Manager (APM), and others sharing the same TMM data plane. F5 published Security Advisory K05710614 on August 14, 2024, addressing the issue [CWE-702].

Critical Impact

Remote, unauthenticated attackers can trigger TMM termination on affected BIG-IP devices, causing data plane disruption and denial of service to all applications fronted by the appliance.

Affected Products

  • F5 BIG-IP Local Traffic Manager, Advanced Firewall Manager, and Access Policy Manager (version 17.1.0 and earlier supported releases on HSB hardware)
  • F5 BIG-IP Advanced Web Application Firewall, Application Security Manager, and SSL Orchestrator
  • F5 BIG-IP DNS, Global Traffic Manager, Link Controller, Carrier-Grade NAT, Policy Enforcement Manager, DDoS Hybrid Defender, and related modules

Discovery Timeline

  • 2024-08-14 - CVE-2024-39778 published to NVD and F5 advisory K05710614 released
  • 2024-08-19 - Last updated in NVD database

Technical Details for CVE-2024-39778

Vulnerability Analysis

The vulnerability resides in how TMM processes traffic when a stateless virtual server is bound to a BIG-IP platform equipped with a High-Speed Bridge (HSB) ASIC. Stateless virtual servers bypass connection table tracking and forward packets directly through the data plane. When specific undisclosed request patterns reach this configuration, TMM enters an unexpected condition and terminates. Because TMM is the core process responsible for all traffic management, its termination drops every active connection traversing the appliance until the process restarts. The CWE classification of CWE-702 (Exposure of Sensitive Information Due to Incorrect Spec Implementation, here mapped to improper specification handling) reflects a deviation between documented behavior and runtime handling of packets on HSB-equipped hardware.

Root Cause

The root cause is improper handling of certain packet conditions in the TMM-to-HSB processing path when statelessness is enabled. Without connection state, TMM relies on per-packet logic that fails to validate inputs the HSB hardware accepts, leading to an unrecoverable error and process termination. F5 has not disclosed the exact request structure that triggers the condition.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted traffic to the IP and port of a stateless virtual server hosted on an HSB-enabled BIG-IP appliance. Each successful trigger causes TMM to terminate, producing a service outage for all traffic processed by that TMM instance. The condition can be repeated to sustain a denial-of-service state.

No public proof-of-concept code or exploit is available, and F5 has withheld the specific request format. The vulnerability is therefore described in prose only — see the F5 Security Advisory K05710614 for vendor-supplied technical details.

Detection Methods for CVE-2024-39778

Indicators of Compromise

  • TMM core dump files appearing in /var/core/ on the BIG-IP device following inbound traffic spikes
  • /var/log/ltm entries indicating TMM process restarts or signal-terminated workers
  • Sudden loss of virtual server availability accompanied by failover events on high-availability pairs
  • Traffic statistics showing abrupt connection drops on virtual servers configured with the stateless type

Detection Strategies

  • Inventory all virtual servers with the stateless type and correlate against BIG-IP hardware platforms that include HSB (for example, i-Series and select VIPRION blades)
  • Monitor TMM uptime and restart counts using tmctl -d blade tmm/traffic and SNMP OIDs for process health
  • Forward BIG-IP ltm, tmm, and audit logs to a centralized SIEM for correlation of crash events with upstream source IPs

Monitoring Recommendations

  • Enable alerting on repeated TMM segfault or assertion failed messages in BIG-IP system logs
  • Track packet rates and unusual protocol patterns destined for stateless virtual servers, especially from new or low-reputation sources
  • Review HA failover frequency, as repeated TMM termination on the active unit will trigger device-group transitions

How to Mitigate CVE-2024-39778

Immediate Actions Required

  • Identify all BIG-IP devices running supported branches with stateless virtual servers configured on HSB hardware
  • Apply the engineering hotfix or upgrade to a fixed release as listed in F5 Security Advisory K05710614
  • If patching is delayed, restrict source networks permitted to reach stateless virtual servers using upstream ACLs or BIG-IP packet filters

Patch Information

F5 provides remediated versions and engineering hotfixes through the F5 Security Advisory K05710614. Software versions that have reached End of Technical Support (EoTS) were not evaluated and should be upgraded to a supported, patched branch. Confirm the fixed release for each affected module before scheduling maintenance.

Workarounds

  • Convert affected stateless virtual servers to a stateful standard or performance (Layer 4) type where the application design permits
  • Place an upstream access control list or DDoS mitigation device in front of the BIG-IP to filter untrusted sources from reaching the stateless listener
  • Disable or remove unused stateless virtual servers to reduce exposed attack surface until patching is complete
bash
# Configuration example: list stateless virtual servers and apply a source address restriction
tmsh list ltm virtual one-line | grep "type stateless"

# Restrict the affected virtual server to trusted source networks
tmsh modify ltm virtual /Common/vs_stateless_example source 10.0.0.0/8
tmsh save sys config

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechF5 Big Ip Access Policy Manager
  • SeverityHIGH
  • CVSS Score8.7
  • EPSS Probability0.57%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-702
  • NVD-CWE-noinfo
  • Vendor Resources
  • F5 Security Advisory K05710614
  • Related CVEs
  • CVE-2025-54500: F5 BIG-IP APM DoS Vulnerability
  • CVE-2025-23412: F5 BIG-IP APM DoS Vulnerability
  • CVE-2021-22991: F5 BIG-IP Access Policy Manager DoS Flaw
  • CVE-2025-59781: F5 BIG-IP APM DNS DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English