CVE-2025-36525 Overview
CVE-2025-36525 is a buffer overflow vulnerability (CWE-120) affecting F5 BIG-IP Access Policy Manager (APM). When a BIG-IP APM virtual server is configured to use a PingAccess profile, specially crafted undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate unexpectedly. This termination results in a denial of service condition that can disrupt traffic processing and authentication services.
Critical Impact
Remote unauthenticated attackers can crash TMM processes on BIG-IP APM systems configured with PingAccess profiles, causing service disruption and potential loss of availability for critical authentication infrastructure.
Affected Products
- F5 BIG-IP Access Policy Manager (multiple versions)
- BIG-IP APM virtual servers configured with PingAccess profiles
- Systems not running End of Technical Support (EoTS) software versions
Discovery Timeline
- 2025-05-07 - CVE-2025-36525 published to NVD
- 2025-09-29 - Last updated in NVD database
Technical Details for CVE-2025-36525
Vulnerability Analysis
This vulnerability stems from a classic buffer overflow condition (CWE-120) within the TMM component when processing requests through a PingAccess profile configuration. The TMM is a critical component of the BIG-IP system responsible for processing all application traffic, making this vulnerability particularly impactful for organizations relying on BIG-IP APM for access management and authentication.
The vulnerability can be exploited remotely over the network without requiring any authentication or user interaction. When triggered, the buffer overflow causes the TMM process to crash, leading to immediate service disruption. Since TMM handles all traffic processing, its termination affects the entire virtual server's ability to process requests, effectively creating a denial of service condition.
The attack requires no privileges and involves low complexity, making it accessible to a wide range of threat actors. While the vulnerability does not directly impact data confidentiality or integrity, the availability impact is significant as it can take down critical authentication infrastructure.
Root Cause
The root cause is a buffer overflow vulnerability (CWE-120: Buffer Copy without Checking Size of Input) in the TMM process. The vulnerability occurs when the TMM processes certain malformed or specially crafted requests through a PingAccess profile. The code fails to properly validate the size of input data before copying it into a fixed-size buffer, allowing an attacker to overflow the buffer and corrupt adjacent memory, ultimately causing the TMM process to crash.
Attack Vector
The attack vector is network-based, requiring the attacker to send specially crafted requests to a BIG-IP APM virtual server configured with a PingAccess profile. The attacker does not need to be authenticated or have any prior access to the system. The attack can be executed remotely from any network location that can reach the vulnerable virtual server.
The vulnerability is triggered by sending undisclosed malformed requests that exploit the buffer overflow condition in the PingAccess profile processing code. When the TMM attempts to process these requests, the buffer overflow occurs, causing memory corruption and subsequent process termination.
Detection Methods for CVE-2025-36525
Indicators of Compromise
- Unexpected TMM process restarts or crashes in BIG-IP system logs
- Service interruptions on virtual servers configured with PingAccess profiles
- High availability (HA) failover events triggered by TMM failures
- Error messages in /var/log/ltm related to TMM termination
- Unusual network traffic patterns targeting APM virtual servers
Detection Strategies
- Monitor TMM process health and restart frequency using BIG-IP monitoring tools
- Implement network-based intrusion detection to identify anomalous traffic patterns to APM virtual servers
- Configure alerting for TMM core dump generation events
- Review BIG-IP logs for entries indicating unexpected TMM termination
- Deploy SentinelOne Singularity to detect and alert on process crash patterns and exploitation attempts
Monitoring Recommendations
- Enable detailed logging for PingAccess profile activity on affected virtual servers
- Configure SNMP traps or syslog alerts for TMM health state changes
- Monitor system availability metrics and failover events in high availability configurations
- Implement real-time log analysis for early detection of exploitation attempts
How to Mitigate CVE-2025-36525
Immediate Actions Required
- Review your BIG-IP APM deployments to identify virtual servers using PingAccess profiles
- Apply the vendor-provided security patches as soon as possible
- Consider temporarily disabling PingAccess profiles on critical systems until patches can be applied
- Implement network access controls to limit exposure of vulnerable virtual servers
- Enable high availability configurations to minimize service disruption if exploitation occurs
Patch Information
F5 has released security updates to address this vulnerability. Administrators should consult the F5 Support Article K000150598 for detailed patch information, affected version ranges, and upgrade guidance. Organizations should prioritize patching systems that are internet-facing or handle critical authentication workflows.
Note that software versions which have reached End of Technical Support (EoTS) are not evaluated for this vulnerability and may remain vulnerable.
Workarounds
- Restrict network access to BIG-IP APM virtual servers using firewall rules or network segmentation
- If PingAccess functionality is not required, consider removing or disabling PingAccess profiles from virtual server configurations
- Implement rate limiting on affected virtual servers to reduce the potential impact of exploitation attempts
- Deploy Web Application Firewall (WAF) rules to filter potentially malicious requests before they reach the APM
- Ensure high availability is configured so that TMM crashes trigger automatic failover to minimize downtime
# Example: Review virtual servers with PingAccess profiles
tmsh list ltm virtual | grep -A 10 "access-policy"
# Check TMM process status
tmsh show sys tmm-info
# Review recent TMM restarts in logs
grep -i "tmm" /var/log/ltm | grep -i "restart\|crash\|core"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
