CVE-2025-41433 Overview
CVE-2025-41433 is a high-severity Denial of Service (DoS) vulnerability affecting F5 BIG-IP systems when a Session Initiation Protocol (SIP) message routing framework (MRF) application layer gateway (ALG) profile is configured on a Message Routing virtual server. Specially crafted, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate, resulting in service disruption and potential network outages for organizations relying on F5 BIG-IP for traffic management.
The vulnerability is classified as CWE-476 (Null Pointer Dereference), indicating that the TMM process fails to properly handle certain input conditions, leading to a crash. This vulnerability can be exploited remotely over the network without requiring authentication, making it particularly dangerous for internet-facing deployments.
Critical Impact
Remote attackers can cause complete service disruption of F5 BIG-IP TMM by sending malicious requests to virtual servers with SIP MRF ALG profiles, potentially affecting all traffic flowing through the affected device.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Advanced Web Application Firewall (AWAF)
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP Carrier-Grade NAT (CGNAT)
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP DNS
- F5 BIG-IP Edge Gateway
- F5 BIG-IP Global Traffic Manager (GTM)
- F5 BIG-IP Link Controller
- F5 BIG-IP Policy Enforcement Manager (PEM)
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP WebAccelerator
- F5 BIG-IP Analytics
- F5 BIG-IP Application Visibility and Reporting (AVR)
- F5 BIG-IP Automation Toolchain
- F5 BIG-IP Container Ingress Services
- F5 BIG-IP Fraud Protection Service
- F5 BIG-IP WebSafe
- F5 BIG-IP Application Acceleration Manager
Discovery Timeline
- May 7, 2025 - CVE-2025-41433 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-41433
Vulnerability Analysis
This vulnerability exists within the Traffic Management Microkernel (TMM), which is the core data plane component of F5 BIG-IP systems responsible for processing all network traffic. When a SIP MRF ALG profile is configured on a Message Routing virtual server, the TMM fails to properly validate certain incoming SIP requests before processing them.
The SIP protocol is widely used for voice-over-IP (VoIP) and multimedia communications, and the MRF ALG profile provides application-aware processing for SIP traffic. The vulnerability allows unauthenticated remote attackers to send specially crafted requests that trigger a null pointer dereference condition within the TMM process.
When exploited, the TMM terminates unexpectedly, causing a failover event in high-availability configurations or complete service disruption in standalone deployments. All traffic flowing through the affected BIG-IP system will be interrupted until the TMM process restarts or the system fails over to a standby unit.
Root Cause
The root cause is a Null Pointer Dereference (CWE-476) vulnerability in the TMM's SIP MRF ALG processing logic. When the TMM receives certain malformed or unexpected SIP requests, it attempts to dereference a null pointer, causing the process to crash. This occurs because the input validation routines do not adequately verify the presence and validity of required data structures before attempting to access them.
The vulnerability specifically manifests when:
- A Message Routing virtual server is configured
- A SIP MRF ALG profile is attached to that virtual server
- An attacker sends specially crafted requests to the virtual server
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker needs network access to the vulnerable virtual server configured with a SIP MRF ALG profile. The attack does not require user interaction and can be automated for repeated exploitation attempts.
The exploitation scenario involves sending malicious SIP requests to the target BIG-IP virtual server. When the TMM processes these requests through the SIP MRF ALG profile, the null pointer dereference occurs, causing the TMM to crash. In environments without high availability, this results in complete traffic disruption until manual intervention restores service.
The vulnerability mechanism involves improper input validation in the SIP MRF ALG processing path within TMM. When malformed SIP messages are received, the TMM fails to properly check for null values before dereferencing pointers in the message processing logic. For detailed technical information, refer to the F5 Security Advisory.
Detection Methods for CVE-2025-41433
Indicators of Compromise
- Unexpected TMM process restarts or crashes logged in /var/log/ltm
- High availability failover events without apparent cause
- Sudden traffic drops or service unavailability on SIP virtual servers
- Core dump files generated in /var/core/ directory related to TMM
Detection Strategies
- Monitor BIG-IP system logs for TMM restart events using tmsh show sys log ltm and search for TMM-related crash messages
- Configure SNMP traps or syslog forwarding to detect failover events and TMM restarts in real-time
- Implement network traffic analysis to identify anomalous SIP traffic patterns targeting BIG-IP virtual servers
- Use SentinelOne Singularity Platform to monitor for suspicious network activity and process termination events
Monitoring Recommendations
- Enable detailed logging for Message Routing virtual servers with SIP MRF ALG profiles
- Set up alerting on TMM process state changes and unexpected restarts
- Monitor network traffic to SIP-enabled virtual servers for malformed or unusual request patterns
- Review BIG-IP audit logs regularly for configuration changes to SIP MRF ALG profiles
How to Mitigate CVE-2025-41433
Immediate Actions Required
- Review all BIG-IP configurations to identify virtual servers with SIP MRF ALG profiles enabled
- Apply the vendor-provided security patches as documented in the F5 security advisory
- If patching is not immediately possible, consider temporarily disabling SIP MRF ALG profiles on critical virtual servers
- Ensure high availability configurations are properly functioning to minimize impact from potential TMM crashes
Patch Information
F5 has released security patches to address this vulnerability. Organizations should consult the F5 Security Advisory K000140937 for specific version information and patching instructions. Software versions that have reached End of Technical Support (EoTS) are not evaluated and may not receive patches.
Administrators should plan for maintenance windows to apply patches, as TMM restarts are typically required. In high-availability environments, perform rolling upgrades to maintain service continuity during the patching process.
Workarounds
- If SIP MRF ALG functionality is not required, remove the SIP MRF ALG profile from affected Message Routing virtual servers
- Implement network access controls to restrict access to SIP virtual servers from trusted sources only
- Deploy rate limiting on SIP traffic to reduce the potential impact of exploitation attempts
- Consider using iRules to filter or sanitize incoming SIP traffic before it reaches the ALG profile
# Example: List virtual servers with SIP profiles attached
tmsh list ltm virtual all | grep -A 20 "ltm virtual" | grep -E "(virtual|sip)"
# Example: Check TMM process status
tmsh show sys tmm-info
# Example: Monitor TMM logs for crash events
tail -f /var/log/ltm | grep -i "tmm"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
