CVE-2025-41433 Overview
CVE-2025-41433 is a high-severity denial-of-service vulnerability affecting F5 BIG-IP products configured with a Session Initiation Protocol (SIP) message routing framework (MRF) application layer gateway (ALG) profile on a Message Routing virtual server. Undisclosed network requests can cause the Traffic Management Microkernel (TMM) to terminate, disrupting traffic processing on the affected device. The flaw is tracked under [CWE-476] (NULL Pointer Dereference) and is reachable over the network without authentication or user interaction. F5 published advisory K000140937 describing the affected versions and remediation guidance. Software versions that have reached End of Technical Support (EoTS) are not evaluated.
Critical Impact
An unauthenticated remote attacker can crash the TMM process on BIG-IP, interrupting all data plane traffic and triggering failover or service outage.
Affected Products
- F5 BIG-IP Local Traffic Manager, Access Policy Manager, and Advanced WAF (versions prior to F5's fixed releases per K000140937)
- F5 BIG-IP Advanced Firewall Manager, Application Security Manager, Policy Enforcement Manager, and Carrier-Grade NAT
- F5 BIG-IP DNS, Global Traffic Manager, Link Controller, SSL Orchestrator, DDoS Hybrid Defender, and additional modules listed in the F5 advisory
Discovery Timeline
- 2025-05-07 - CVE-2025-41433 published to NVD
- 2025-10-21 - Last updated in NVD database
Technical Details for CVE-2025-41433
Vulnerability Analysis
The vulnerability resides in the Traffic Management Microkernel (TMM), the core data plane process on F5 BIG-IP that handles all network traffic. When a Message Routing virtual server is configured with a SIP MRF ALG profile, TMM parses incoming SIP signaling traffic to enable session-aware routing and NAT traversal for VoIP flows. A specific, undisclosed sequence of SIP requests triggers a NULL pointer dereference in this parsing path. Dereferencing the invalid pointer crashes TMM, which terminates the data plane and halts traffic forwarding through the appliance. On high-availability pairs, the crash forces a failover, and repeated exploitation produces a sustained denial-of-service condition.
Root Cause
The issue is classified as [CWE-476] NULL Pointer Dereference. TMM code processing SIP MRF ALG traffic fails to validate an internal pointer or state object before dereferencing it during request handling. The vulnerability is data-driven and triggered by malformed or unexpected SIP message content rather than by an authentication or authorization weakness.
Attack Vector
Exploitation requires only network reachability to a Message Routing virtual server that has the SIP MRF ALG profile attached. No credentials and no user interaction are required. An attacker sends crafted SIP traffic to the listening virtual server, which causes TMM to dereference a null pointer and terminate. BIG-IP devices configured solely for HTTP/HTTPS load balancing without the SIP MRF ALG profile are not exposed to this code path.
No public proof-of-concept code or verified exploit examples are available. Refer to the F5 security advisory K000140937 for vendor-supplied technical details.
Detection Methods for CVE-2025-41433
Indicators of Compromise
- Unexpected TMM core dumps under /var/core/ on BIG-IP devices, particularly with stack frames referencing SIP or MRF ALG handlers
- tmm process restart events recorded in /var/log/ltm or /var/log/tmm
- Unplanned failover events in HA pairs correlated with inbound SIP traffic to a Message Routing virtual server
Detection Strategies
- Inventory BIG-IP virtual servers and identify any Message Routing virtual server with a SIP MRF ALG profile attached; these are the only configurations exposed to this flaw
- Correlate inbound SIP signaling traffic patterns with TMM restart timestamps to identify probing or exploitation attempts
- Monitor F5 iHealth uploads and qkview diagnostics for repeated TMM crash signatures matching the SIP MRF ALG code path
Monitoring Recommendations
- Forward BIG-IP system logs and TMM crash telemetry to a centralized SIEM or data lake for retention and correlation
- Alert on any tmm process termination or failover events on devices that handle SIP traffic
- Track SIP request volume and source IP diversity against Message Routing virtual servers to flag anomalous bursts
How to Mitigate CVE-2025-41433
Immediate Actions Required
- Apply the fixed BIG-IP software versions listed in F5 advisory K000140937 on all affected devices
- Identify and prioritize devices with a Message Routing virtual server bound to a SIP MRF ALG profile, since only these configurations are vulnerable
- Restrict network exposure of affected virtual servers to trusted SIP peers using firewall rules or BIG-IP packet filters until patching is complete
Patch Information
F5 has released fixed software versions addressing CVE-2025-41433. Consult F5 K000140937 for the specific fixed versions per BIG-IP branch and module. Software branches that have reached End of Technical Support are not evaluated and should be upgraded to a supported, patched release.
Workarounds
- Remove the SIP MRF ALG profile from any Message Routing virtual server where it is not strictly required
- Apply source-IP restrictions or an AFM policy to limit SIP traffic to known, trusted signaling peers
- Where feasible, disable the affected Message Routing virtual server until the patched version is deployed
# Identify Message Routing virtual servers using a SIP MRF ALG profile
tmsh list ltm virtual one-line | grep -i "message-routing"
tmsh list ltm profile sip
# Remove a SIP MRF ALG profile from a virtual server (example)
tmsh modify ltm virtual <vs_name> profiles delete { <sip_alg_profile_name> }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
