CVE-2025-41399 Overview
CVE-2025-41399 is a high-severity memory resource exhaustion vulnerability affecting F5 BIG-IP systems when a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server. Undisclosed requests sent to affected systems can cause an increase in memory resource utilization, potentially leading to denial of service conditions. This vulnerability impacts a wide range of F5 BIG-IP product modules and the BIG-IP Next product line.
Critical Impact
Attackers can remotely exhaust memory resources on F5 BIG-IP systems with SCTP profiles configured, potentially causing service disruption and denial of service conditions for critical network infrastructure.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Web Application Firewall (AWAF)
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Policy Enforcement Manager (PEM)
- F5 BIG-IP Carrier-Grade NAT (CGNAT)
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP Next Central Manager (version 20.2.0)
- F5 BIG-IP Next Cloud-Native Network Functions
- F5 BIG-IP Next Service Proxy for Kubernetes
Discovery Timeline
- May 7, 2025 - CVE-2025-41399 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-41399
Vulnerability Analysis
This vulnerability is classified as CWE-404: Improper Resource Shutdown or Release. The flaw exists in how F5 BIG-IP systems handle SCTP protocol processing when an SCTP profile is configured on a virtual server. When certain undisclosed requests are processed, the system fails to properly release allocated memory resources, leading to gradual memory exhaustion.
The vulnerability requires no authentication or user interaction to exploit, making it particularly dangerous for internet-facing BIG-IP deployments. An attacker with network access to an affected virtual server can send malicious SCTP traffic that triggers the memory leak, eventually degrading system performance or causing complete service unavailability.
Root Cause
The root cause is improper resource shutdown or release (CWE-404) in the SCTP profile handling code. When processing certain SCTP requests, the BIG-IP system allocates memory resources that are not properly deallocated after the request is processed. This creates a memory leak condition where continued exploitation gradually consumes available system memory.
Attack Vector
The attack vector is network-based, requiring an attacker to send specially crafted SCTP traffic to a virtual server configured with an SCTP profile. The attack characteristics include:
- Network accessibility: The attacker must be able to reach the virtual server over the network
- No authentication required: The vulnerability can be exploited without valid credentials
- No user interaction: Exploitation does not require any action from legitimate users
- SCTP profile prerequisite: Only virtual servers with SCTP profiles configured are vulnerable
The attack does not require complex conditions or specialized access, making it relatively straightforward to exploit once a vulnerable target is identified. Sustained attack traffic can progressively exhaust memory resources, leading to service degradation or complete denial of service.
Detection Methods for CVE-2025-41399
Indicators of Compromise
- Abnormal increase in memory utilization on BIG-IP systems with SCTP profiles configured
- Unexpected SCTP traffic patterns or volume spikes targeting virtual servers
- System performance degradation correlating with SCTP traffic
- Memory exhaustion alerts or warnings in BIG-IP system logs
Detection Strategies
- Monitor memory utilization trends on BIG-IP systems, establishing baselines and alerting on anomalies
- Implement SCTP traffic analysis to detect unusual request patterns or volumes
- Review TMM (Traffic Management Microkernel) logs for memory-related warnings or errors
- Deploy network traffic monitoring to identify potential exploitation attempts targeting SCTP services
Monitoring Recommendations
- Enable detailed logging for SCTP profile activity on affected virtual servers
- Configure memory utilization thresholds and alerts in BIG-IP monitoring systems
- Implement real-time traffic analysis for SCTP protocol anomalies
- Establish baseline metrics for normal SCTP traffic patterns to aid in anomaly detection
How to Mitigate CVE-2025-41399
Immediate Actions Required
- Review all virtual server configurations to identify those with SCTP profiles enabled
- Apply vendor-provided patches as soon as they become available from F5
- Consider temporarily disabling SCTP profiles on non-critical virtual servers until patches are applied
- Implement network-level access controls to restrict SCTP traffic to trusted sources only
- Increase monitoring on affected systems to detect potential exploitation attempts
Patch Information
F5 has released information regarding this vulnerability in their knowledge base. Organizations should consult the F5 Knowledge Article K000137709 for specific patch versions and remediation guidance. The affected versions span multiple BIG-IP product modules including version 17.1.0 of classic BIG-IP products and version 20.2.0 of BIG-IP Next Central Manager.
Note that software versions which have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable without available patches.
Workarounds
- Restrict network access to virtual servers with SCTP profiles to only trusted IP addresses using BIG-IP ACLs or external firewalls
- If SCTP functionality is not required, consider removing or disabling SCTP profiles from virtual server configurations
- Implement rate limiting on SCTP traffic to mitigate the impact of potential exploitation attempts
- Deploy additional monitoring and alerting for memory utilization on systems that cannot be immediately patched
# Example: Check for SCTP profiles on virtual servers
tmsh list ltm virtual all | grep -A 5 "sctp"
# Example: Review memory utilization
tmsh show sys memory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
