The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-41431

CVE-2025-41431: F5 BIG-IP Access Policy Manager DoS Flaw

CVE-2025-41431 is a denial of service vulnerability in F5 BIG-IP Access Policy Manager that causes TMM termination on standby systems when connection mirroring is configured. This article covers technical details, impact, and mitigation.

Updated: January 22, 2026

CVE-2025-41431 Overview

CVE-2025-41431 is a denial of service vulnerability affecting F5 BIG-IP systems configured with connection mirroring on virtual servers. When exploited, specially crafted undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate on standby BIG-IP systems within a traffic group. This vulnerability poses a significant risk to high availability configurations, as it specifically targets standby devices that are critical for failover scenarios.

The TMM is a core component of F5 BIG-IP that handles all load-balanced traffic processing. A crash in this microkernel results in service disruption and potentially compromises the redundancy that organizations rely upon for business continuity.

Critical Impact

Unauthenticated remote attackers can cause TMM termination on standby BIG-IP systems, potentially disrupting high availability configurations and failover capabilities across multiple F5 BIG-IP product lines.

Affected Products

  • F5 BIG-IP Access Policy Manager version 17.1.2
  • F5 BIG-IP Advanced Firewall Manager version 17.1.2
  • F5 BIG-IP Analytics version 17.1.2
  • F5 BIG-IP Application Acceleration Manager version 17.1.2
  • F5 BIG-IP Application Security Manager version 17.1.2
  • F5 BIG-IP Domain Name System version 17.1.2
  • F5 BIG-IP Fraud Protection Service version 17.1.2
  • F5 BIG-IP Global Traffic Manager version 17.1.2
  • F5 BIG-IP Link Controller version 17.1.2
  • F5 BIG-IP Local Traffic Manager version 17.1.2
  • F5 BIG-IP Policy Enforcement Manager version 17.1.2

Discovery Timeline

  • 2025-05-07 - CVE-2025-41431 published to NVD
  • 2025-08-06 - Last updated in NVD database

Technical Details for CVE-2025-41431

Vulnerability Analysis

This vulnerability is classified as CWE-787 (Out-of-Bounds Write), indicating that the TMM process improperly handles certain network requests when connection mirroring is enabled. The out-of-bounds write condition can corrupt memory structures within the TMM, leading to process termination.

Connection mirroring is a feature used in BIG-IP high availability configurations to synchronize connection state information between active and standby devices. When enabled, the standby device maintains connection tables that mirror the active device, allowing for seamless failover without disrupting existing client sessions. The vulnerability specifically manifests when the standby system processes mirrored connection data containing malformed or unexpected request structures.

The attack can be executed remotely over the network without requiring authentication or user interaction. The impact is primarily against system availability, with no direct confidentiality or integrity compromise on the primary target. However, the ability to crash standby systems could be leveraged as part of a larger attack strategy to eliminate failover protection before targeting the active device.

Root Cause

The root cause is an out-of-bounds write vulnerability (CWE-787) in the TMM component. When processing certain undisclosed request types during connection mirroring operations, the TMM fails to properly validate memory boundaries before writing data. This memory safety issue allows specially crafted network traffic to trigger a write operation beyond allocated buffer boundaries, corrupting adjacent memory and causing the TMM process to crash.

Attack Vector

The attack vector is network-based, allowing remote exploitation without authentication. An attacker can send specially crafted requests to a BIG-IP virtual server configured with connection mirroring. The malicious requests are processed and mirrored to standby systems in the traffic group, where the out-of-bounds write condition is triggered in the TMM process.

The attack specifically targets the high availability infrastructure rather than the active processing node, making it particularly insidious as it silently degrades redundancy capabilities. Organizations may not immediately notice that their failover systems have been compromised until an actual failover event is required.

Detection Methods for CVE-2025-41431

Indicators of Compromise

  • Unexpected TMM process restarts or crashes on standby BIG-IP systems within traffic groups
  • Core dump files generated by TMM crashes in /var/core/ directory
  • Log entries in /var/log/ltm indicating TMM termination events
  • High availability alerts showing standby device status changes

Detection Strategies

  • Monitor BIG-IP system logs for TMM crash events, particularly on standby devices in traffic groups
  • Implement alerting for unexpected TMM restarts using SNMP traps or syslog forwarding
  • Track high availability status changes across traffic groups for anomalous patterns
  • Review network traffic to virtual servers with connection mirroring for suspicious request patterns

Monitoring Recommendations

  • Enable detailed logging for TMM events and forward to centralized SIEM systems
  • Configure health monitoring for all devices in BIG-IP traffic groups to detect availability degradation
  • Establish baseline TMM restart frequency and alert on deviations from normal patterns
  • Monitor device sync status between active and standby pairs for unexpected changes

How to Mitigate CVE-2025-41431

Immediate Actions Required

  • Review F5 security advisory K000150668 for vendor-specific guidance and patch availability
  • Inventory all BIG-IP devices running version 17.1.2 with connection mirroring enabled
  • Assess the criticality of connection mirroring for each virtual server configuration
  • Prioritize patching for internet-facing BIG-IP deployments with connection mirroring enabled

Patch Information

F5 has published security advisory K000150668 addressing this vulnerability. Organizations should consult this advisory for specific patch versions and upgrade guidance. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.

Contact F5 support or refer to the vendor advisory for information on obtaining and applying the appropriate security patches for your BIG-IP deployment.

Workarounds

  • Consider temporarily disabling connection mirroring on non-critical virtual servers until patches can be applied
  • Implement network-level access controls to restrict traffic sources to virtual servers with connection mirroring
  • Deploy additional monitoring for standby device health to quickly detect and respond to TMM crashes
  • Ensure backup and recovery procedures are tested for rapid restoration of standby devices
bash
# Check connection mirroring status on virtual servers
tmsh list ltm virtual all | grep -A5 "mirror"

# Review TMM crash logs
cat /var/log/ltm | grep -i "tmm\|crash\|core"

# Monitor high availability status
tmsh show cm traffic-group all

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechF5 Big Ip Access Policy Manager
  • SeverityHIGH
  • CVSS Score8.7
  • EPSS Probability0.10%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-787
  • Vendor Resources
  • F5 Article K000150668
  • Related CVEs
  • CVE-2021-22991: F5 BIG-IP Access Policy Manager DoS Flaw
  • CVE-2025-21091: F5 BIG-IP Access Policy Manager DoS Flaw
  • CVE-2022-23011: F5 BIG-IP Access Policy Manager DoS Flaw
  • CVE-2025-53868: F5 BIG-IP APM Auth Bypass Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English