CVE-2025-20058 Overview
CVE-2025-20058 is a resource exhaustion vulnerability (CWE-400) affecting F5 BIG-IP products. When a message routing profile is configured on a virtual server, undisclosed network traffic can cause an increase in memory resource utilization. The flaw impacts the BIG-IP traffic management plane and may degrade availability of services routed through the affected virtual server. F5 notes that software versions which have reached End of Technical Support (EoTS) are not evaluated for this advisory.
Critical Impact
An unauthenticated remote attacker can send crafted traffic to a virtual server using a message routing profile, exhausting memory and impacting service availability on the BIG-IP appliance.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM) and related modules including Access Policy Manager (APM), Advanced WAF, and Application Security Manager (ASM)
- F5 BIG-IP Advanced Firewall Manager (AFM), Carrier-Grade NAT (CGNAT), DDoS Hybrid Defender, and Policy Enforcement Manager (PEM)
- F5 BIG-IP DNS, Global Traffic Manager (GTM), Link Controller, SSL Orchestrator, WebAccelerator, and additional BIG-IP modules
Discovery Timeline
- 2025-02-05 - CVE-2025-20058 published to NVD
- 2025-10-21 - Last updated in NVD database
Technical Details for CVE-2025-20058
Vulnerability Analysis
The vulnerability resides in the BIG-IP message routing framework, which is used to inspect, route, and manipulate application-layer protocol traffic such as SIP and Diameter. When a message routing profile is bound to a virtual server, the data plane allocates memory structures to track in-flight messages and routing state. Undisclosed traffic patterns trigger sustained memory growth that is not reclaimed within normal connection lifecycles.
The condition is reachable over the network without authentication or user interaction, but exploitation requires that an attacker reach a virtual server configured with a message routing profile. Successful exploitation does not compromise confidentiality or integrity. It degrades availability by exhausting memory available to the Traffic Management Microkernel (TMM) and related processes.
Root Cause
The root cause is improper control of resource consumption ([CWE-400]) inside the message routing profile processing logic. State allocated for incoming messages is retained longer than required, allowing crafted or malformed traffic to accumulate memory and starve other workloads sharing the same TMM instance.
Attack Vector
An unauthenticated attacker delivers protocol traffic to the affected virtual server over the network. The traffic does not require elevated privileges or user interaction. Repeated requests amplify memory growth until services degrade or the appliance fails over. F5 has not publicly disclosed the exact protocol message patterns that trigger the condition.
No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.545% (67.98 percentile), indicating moderate predicted exploitation likelihood relative to other CVEs.
Detection Methods for CVE-2025-20058
Indicators of Compromise
- Sustained increase in TMM memory utilization on BIG-IP devices that host virtual servers with a message routing profile, without a corresponding rise in legitimate session counts.
- Repeated tmm memory allocation warnings or out-of-memory log entries in /var/log/ltm correlating with traffic to message routing virtual servers.
- High-volume or anomalous SIP, Diameter, or generic message routing protocol traffic sourced from a limited set of remote IPs.
Detection Strategies
- Inventory all virtual servers and identify those bound to a message routing profile using tmsh list ltm virtual and filter by profiles containing message routing entries.
- Baseline normal memory consumption per TMM instance and alert on deviation thresholds that precede service degradation.
- Correlate network flow telemetry with BIG-IP health metrics to identify external sources triggering memory growth.
Monitoring Recommendations
- Enable SNMP or iHealth-based monitoring for sysHostMemoryUsed, tmmMemoryUsed, and per-profile statistics on affected virtual servers.
- Forward BIG-IP system and LTM logs to a centralized analytics platform to detect memory pressure events tied to message routing traffic.
- Configure alerts for connection table growth and dropped traffic on virtual servers using message routing profiles.
How to Mitigate CVE-2025-20058
Immediate Actions Required
- Review the F5 Support Article K000140947 and identify whether any in-service BIG-IP version is affected.
- Upgrade affected BIG-IP instances to a fixed software release listed in the F5 advisory; versions at End of Technical Support are not evaluated and should be migrated.
- Restrict network reachability to virtual servers using a message routing profile to known, trusted peers only.
Patch Information
F5 has published remediation guidance and fixed software versions in F5 Support Article K000140947. Administrators should consult the advisory for the specific fixed builds applicable to each BIG-IP module and deployment.
Workarounds
- Remove the message routing profile from any virtual server where it is not strictly required until patches are applied.
- Apply source IP restrictions, rate limiting, or AFM rules to constrain who can send message routing protocol traffic to the affected virtual servers.
- Place memory utilization thresholds on the device and configure automated failover to a healthy peer if memory pressure crosses safe limits.
# Identify virtual servers using a message routing profile
tmsh list ltm virtual one-line | grep -E "messagerouter|sipsession|diametersession"
# Temporarily restrict source addresses on an affected virtual server
tmsh modify ltm virtual <vs_name> source-address-translation { type automap } \
profiles delete { <message_routing_profile> }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
