CVE-2025-24497 Overview
CVE-2025-24497 affects F5 BIG-IP Policy Enforcement Manager when Uniform Resource Locator (URL) categorization is configured on a virtual server. Undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate, resulting in a denial of service condition. The vulnerability is classified under [CWE-125] Out-of-Bounds Read and is exploitable remotely without authentication or user interaction.
F5 has not evaluated software versions that have reached End of Technical Support (EoTS). Administrators running supported BIG-IP releases with URL categorization enabled should consult the F5 advisory and apply available updates.
Critical Impact
Unauthenticated network attackers can repeatedly terminate the TMM process, disrupting traffic processing on affected BIG-IP virtual servers and causing service outages.
Affected Products
- F5 BIG-IP Policy Enforcement Manager (supported versions with URL categorization configured)
- BIG-IP virtual servers with URL categorization enabled
- Note: End of Technical Support (EoTS) versions were not evaluated by F5
Discovery Timeline
- 2025-02-05 - CVE-2025-24497 published to the National Vulnerability Database (NVD)
- 2025-08-06 - Last updated in NVD database
Technical Details for CVE-2025-24497
Vulnerability Analysis
The flaw resides in the Traffic Management Microkernel (TMM), the data plane component responsible for processing client traffic on BIG-IP devices. When URL categorization is configured on a virtual server, specific undisclosed requests trigger an out-of-bounds read condition. This causes TMM to terminate abnormally and interrupt traffic handling.
F5 has not publicly detailed the exact request format that triggers the condition. The advisory categorizes the impact as availability-only, with no compromise of confidentiality or integrity. The vulnerability is exploitable over the network without prior authentication.
Root Cause
The vulnerability is rooted in [CWE-125] Out-of-Bounds Read within the URL categorization processing path. TMM reads memory outside the bounds of an intended buffer when parsing certain requests destined for a virtual server with URL categorization enabled. The invalid read causes the process to crash rather than gracefully handle the malformed input.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends crafted requests to a BIG-IP virtual server configured with URL categorization. Each successful request terminates TMM, dropping in-flight connections and interrupting service until the process restarts. Repeated requests can sustain a denial-of-service condition against the affected appliance.
No public proof-of-concept exploit or in-the-wild exploitation has been reported. Refer to the F5 Knowledge Base Article K000140920 for technical details and fixed software versions.
Detection Methods for CVE-2025-24497
Indicators of Compromise
- Unexpected TMM process restarts logged in /var/log/ltm or via tmsh show sys crash-info
- Core dump files generated under /var/savecore/ referencing the TMM process
- Sudden drops in active connections on virtual servers with URL categorization enabled
- High-availability failover events triggered by TMM termination on the active unit
Detection Strategies
- Monitor BIG-IP system logs for repeated tmm segfault or termination messages correlated with inbound traffic spikes
- Correlate virtual server traffic logs with TMM restart events to identify request patterns preceding crashes
- Track HTTP request anomalies destined for virtual servers configured with URL categorization profiles
Monitoring Recommendations
- Forward BIG-IP syslog and crash telemetry to a centralized Security Information and Event Management (SIEM) platform
- Enable SNMP traps for bigipTmmRestart and related TMM health events
- Alert on TMM restarts occurring within short time windows, which may indicate active exploitation attempts
How to Mitigate CVE-2025-24497
Immediate Actions Required
- Review which BIG-IP virtual servers have URL categorization configured and inventory exposed instances
- Apply the fixed software versions identified in F5 Knowledge Base article K000140920 as soon as feasible
- Restrict network access to BIG-IP management and data plane interfaces using access control lists where possible
Patch Information
F5 has published remediation guidance and fixed software versions in the F5 Knowledge Base Article K000140920. Administrators should consult the advisory for the specific BIG-IP branches and minimum fixed versions applicable to their deployment. Software versions that have reached End of Technical Support are not evaluated and should be upgraded to a supported, patched release.
Workarounds
- Disable URL categorization on affected virtual servers if the feature is not required
- Place upstream filtering controls in front of BIG-IP to drop malformed or anomalous HTTP requests
- Use BIG-IP iRules or local traffic policies to validate incoming request structure before it reaches URL categorization processing
# Example: list virtual servers and check for URL categorization profiles
tmsh list ltm virtual one-line | grep -i url-cat
# Example: temporarily remove a URL categorization profile from a virtual server
tmsh modify ltm virtual <vs_name> profiles delete { <url_cat_profile> }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
