CVE-2025-41414 Overview
CVE-2025-41414 is a Null Pointer Dereference vulnerability (CWE-476) affecting F5 BIG-IP devices. When HTTP/2 client and server profile is configured on a virtual server, specially crafted undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate, resulting in a denial of service condition. This vulnerability is remotely exploitable without authentication and can significantly impact the availability of affected F5 BIG-IP infrastructure.
Critical Impact
Unauthenticated remote attackers can crash the TMM process on F5 BIG-IP devices with HTTP/2 profiles configured, causing service disruption across the entire BIG-IP platform and affecting all applications relying on the load balancer.
Affected Products
- F5 BIG-IP Local Traffic Manager
- F5 BIG-IP Access Policy Manager
- F5 BIG-IP Advanced Firewall Manager
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Application Security Manager
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP Global Traffic Manager
- F5 BIG-IP Domain Name System
- F5 BIG-IP Analytics
- F5 BIG-IP Application Acceleration Manager
- F5 BIG-IP Application Visibility and Reporting
- F5 BIG-IP Automation Toolchain
- F5 BIG-IP Carrier-Grade NAT
- F5 BIG-IP Container Ingress Services
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Edge Gateway
- F5 BIG-IP Fraud Protection Service
- F5 BIG-IP Link Controller
- F5 BIG-IP Policy Enforcement Manager
- F5 BIG-IP WebAccelerator
- F5 BIG-IP WebSafe
- F5 BIG-IP Next Cloud-Native Network Functions
- F5 BIG-IP Next Service Proxy for Kubernetes
Discovery Timeline
- May 7, 2025 - CVE-2025-41414 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-41414
Vulnerability Analysis
This vulnerability is classified as a Null Pointer Dereference (CWE-476), which occurs when the TMM process attempts to access memory through a null pointer during HTTP/2 request processing. The TMM is the core data plane process in F5 BIG-IP devices responsible for handling all traffic processing, including load balancing, SSL termination, and application delivery.
When both HTTP/2 client and server profiles are configured on a virtual server, certain malformed or unexpected HTTP/2 requests can trigger a code path where a null pointer is dereferenced. This causes the TMM process to crash immediately, resulting in service disruption. Since TMM is critical to all traffic handling on the BIG-IP device, its termination affects all virtual servers and applications being proxied through the device.
The vulnerability requires no authentication and can be triggered remotely by any attacker who can send HTTP/2 requests to an affected virtual server. The network-accessible nature of this attack makes it particularly dangerous for internet-facing BIG-IP deployments.
Root Cause
The root cause is improper null pointer handling within the HTTP/2 protocol implementation in TMM. When processing specific HTTP/2 frame sequences or request patterns, the code fails to properly validate that required data structures are initialized before accessing them. This defensive programming oversight allows attackers to craft requests that bypass expected initialization sequences, causing the null pointer dereference.
Attack Vector
The attack is network-based and requires no user interaction or prior authentication. An attacker needs only network access to a virtual server configured with HTTP/2 client and server profiles. The attack involves sending specially crafted HTTP/2 requests designed to trigger the null pointer condition in TMM.
The attack flow typically involves:
- Identifying a target F5 BIG-IP device with HTTP/2 enabled on a virtual server
- Establishing an HTTP/2 connection to the virtual server
- Sending malformed or specially sequenced HTTP/2 frames
- TMM encounters a null pointer during request processing
- TMM process terminates, causing service disruption
The specific request patterns that trigger this vulnerability have not been publicly disclosed by F5 to prevent weaponization.
Detection Methods for CVE-2025-41414
Indicators of Compromise
- Unexpected TMM process restarts or core dumps in /var/core/ directory
- Entries in /var/log/ltm indicating TMM termination during HTTP/2 processing
- Sudden connection drops or service interruptions correlating with HTTP/2 traffic spikes
- High availability (HA) failover events without apparent cause
Detection Strategies
- Monitor TMM process status and configure alerts for unexpected restarts using tmsh show sys mcp-state
- Implement log monitoring for TMM crash events in system logs
- Enable BIG-IP telemetry streaming to SIEM for centralized crash event correlation
- Use SentinelOne Singularity platform to monitor for abnormal process termination patterns on BIG-IP infrastructure
Monitoring Recommendations
- Configure SNMP traps or syslog forwarding for TMM failover and restart events
- Monitor HTTP/2 connection statistics for anomalous patterns using tmsh show ltm profile http2
- Implement network-based anomaly detection for unusual HTTP/2 frame sequences
- Review core dump files regularly to identify exploitation attempts
How to Mitigate CVE-2025-41414
Immediate Actions Required
- Review all virtual server configurations to identify those with HTTP/2 client and server profiles enabled
- Apply the latest security patches from F5 as soon as available
- Consider temporarily disabling HTTP/2 profiles and reverting to HTTP/1.1 if patches cannot be applied immediately
- Implement rate limiting and connection controls to reduce exposure
Patch Information
F5 has released security patches to address this vulnerability. Organizations should consult the F5 Security Advisory K000140968 for specific version information and patching instructions. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to supported versions.
Affected organizations should:
- Identify all affected BIG-IP instances using the tmsh show sys version command
- Download the appropriate patched version from F5 Downloads
- Schedule maintenance windows for upgrades
- Test patches in non-production environments before production deployment
Workarounds
- Disable HTTP/2 profiles on virtual servers if the functionality is not required
- Use iRules to implement additional request validation before TMM processing
- Deploy a Web Application Firewall in front of BIG-IP to filter potentially malicious HTTP/2 traffic
- Segment network access to BIG-IP management and virtual server interfaces to limit attacker exposure
# Example: Check HTTP/2 profile configuration
tmsh list ltm profile http2
# Example: Disable HTTP/2 on a virtual server (temporary workaround)
tmsh modify ltm virtual <virtual_server_name> profiles delete { http2 }
# Example: Monitor TMM status
tmsh show sys mcp-state
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
