CVE-2025-22846 Overview
CVE-2025-22846 is a Denial of Service (DoS) vulnerability affecting F5 BIG-IP systems when SIP Session and Router ALG profiles are configured on a Message Routing type virtual server. Undisclosed malicious traffic can cause the Traffic Management Microkernel (TMM) to terminate unexpectedly, resulting in service disruption and potential availability impact to protected applications and services.
Critical Impact
Remote attackers can crash the TMM process without authentication by sending specially crafted traffic to vulnerable BIG-IP systems, potentially causing complete service outages for enterprise network infrastructure.
Affected Products
- F5 BIG-IP Local Traffic Manager
- F5 BIG-IP Access Policy Manager
- F5 BIG-IP Advanced Firewall Manager
- F5 BIG-IP Application Security Manager
- F5 BIG-IP Analytics
- F5 BIG-IP Application Acceleration Manager
- F5 BIG-IP Domain Name System
- F5 BIG-IP Fraud Protection Service
- F5 BIG-IP Global Traffic Manager
- F5 BIG-IP Link Controller
- F5 BIG-IP Policy Enforcement Manager
- F5 BIG-IP Next Service Proxy for Kubernetes (versions 1.8.0, 1.8.1, 1.8.2, 1.9.0)
Discovery Timeline
- February 5, 2025 - CVE-2025-22846 published to NVD
- September 10, 2025 - Last updated in NVD database
Technical Details for CVE-2025-22846
Vulnerability Analysis
This vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release), indicating that the TMM process fails to properly handle certain traffic conditions when specific ALG profiles are active. The vulnerability exists in the Session Initiation Protocol (SIP) message routing functionality of BIG-IP systems.
When a Message Routing type virtual server is configured with both SIP Session and Router ALG profiles, the system becomes susceptible to processing malformed or unexpected traffic patterns. The TMM, which is the core data plane processing component responsible for all traffic handling in BIG-IP, can be forced to terminate when it encounters this undisclosed traffic condition.
The vulnerability requires no authentication or user interaction to exploit. An attacker with network access to the affected virtual server can send malicious traffic that triggers the TMM crash. This can result in failover events in high-availability configurations or complete service disruption in standalone deployments.
Root Cause
The root cause stems from improper resource handling within the TMM process when processing SIP-related traffic through the Router ALG profile configuration. The vulnerability falls under CWE-404, indicating that the process fails to properly release or manage resources during certain processing conditions, leading to process termination rather than graceful error handling.
Attack Vector
The attack vector is network-based, requiring an attacker to have network connectivity to the vulnerable BIG-IP virtual server. The exploitation path involves:
- Target identification of BIG-IP systems with Message Routing virtual servers
- Verification that SIP Session and Router ALG profiles are configured
- Transmission of specially crafted traffic to trigger the TMM termination
- Resulting in denial of service affecting all traffic processed by the TMM
The vulnerability does not require authentication, privileges, or user interaction, making it accessible to any attacker with network access to the affected system. The impact is primarily to availability, with potential cascading effects on downstream services that depend on the BIG-IP infrastructure.
Detection Methods for CVE-2025-22846
Indicators of Compromise
- Unexpected TMM process restarts or crashes in BIG-IP system logs (/var/log/ltm)
- High availability failover events occurring without apparent cause
- Increased frequency of core dump files related to TMM in /var/core/
- Anomalous SIP traffic patterns targeting Message Routing virtual servers
Detection Strategies
- Monitor TMM process stability using tmsh show sys tmm-info command and alert on unexpected restarts
- Implement network traffic analysis for malformed SIP messages targeting BIG-IP virtual servers
- Configure SNMP traps or syslog alerts for TMM crash events and daemon restart notifications
- Review BIG-IP audit logs for patterns indicating exploitation attempts
Monitoring Recommendations
- Enable detailed logging for SIP Session and Router ALG profile activity
- Implement real-time monitoring of TMM process health using F5 iHealth or external monitoring tools
- Configure alerting thresholds for TMM restart frequency that may indicate active exploitation
- Deploy network-based intrusion detection rules to identify SIP-based attack patterns
How to Mitigate CVE-2025-22846
Immediate Actions Required
- Review BIG-IP configurations to identify Message Routing virtual servers with SIP Session and Router ALG profiles
- Apply vendor patches immediately if available for your BIG-IP version
- Consider implementing network access controls to limit exposure of vulnerable virtual servers
- Enable high availability configurations to minimize impact of potential TMM crashes
Patch Information
F5 has released security guidance for this vulnerability. Organizations should consult the F5 Security Article K000139780 for detailed patch information and affected version matrices. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated.
Administrators should upgrade to patched versions as specified in the F5 security advisory. For BIG-IP Next Service Proxy for Kubernetes, affected versions include 1.8.0, 1.8.1, 1.8.2, and 1.9.0.
Workarounds
- Disable the Router ALG profile on Message Routing virtual servers if not required for business operations
- Implement network segmentation to restrict access to vulnerable virtual servers from untrusted networks
- Deploy web application firewall rules to filter malicious SIP traffic before it reaches BIG-IP systems
- Consider temporarily migrating SIP routing to alternative infrastructure until patches can be applied
# Check for affected virtual server configurations
tmsh list ltm virtual | grep -A 10 "message-routing"
# Identify SIP Session profiles in use
tmsh list ltm profile sip-session
# List Router ALG profile configurations
tmsh list ltm profile router
# Monitor TMM process status
tmsh show sys tmm-info
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
