CVE-2025-46405 Overview
CVE-2025-46405 affects F5 BIG-IP Access Policy Manager (APM) when Network Access is configured on a virtual server. Undisclosed traffic sent to the affected virtual server can cause the Traffic Management Microkernel (TMM) to terminate, producing a denial-of-service condition on the appliance. The flaw is classified as a stack-based buffer overflow [CWE-121]. F5 has published advisory K000151546 describing the affected versions and fixed releases. Software versions that have reached End of Technical Support are not evaluated by the vendor.
Critical Impact
A remote, unauthenticated attacker can terminate the TMM process and disrupt all data-plane traffic flowing through the BIG-IP APM virtual server.
Affected Products
- F5 BIG-IP Access Policy Manager (APM) with Network Access configured on a virtual server
- BIG-IP APM versions listed as vulnerable in F5 advisory K000151546
- BIG-IP APM deployments exposing VPN/Network Access services to untrusted networks
Discovery Timeline
- 2025-08-13 - CVE-2025-46405 published to NVD
- 2025-10-21 - Last updated in NVD database
Technical Details for CVE-2025-46405
Vulnerability Analysis
The defect resides in the Traffic Management Microkernel (TMM), the data-plane process that handles all client and server traffic on BIG-IP devices. When the APM Network Access feature is enabled on a virtual server, TMM parses VPN-related traffic from remote clients. Specially crafted but undisclosed traffic triggers a stack-based buffer overflow condition that causes TMM to terminate. Loss of TMM interrupts all virtual servers hosted on the affected BIG-IP instance, not only the APM listener. The issue is reachable over the network without authentication or user interaction, which is consistent with the attack profile reported by F5.
Root Cause
The root cause is improper bounds handling on a stack buffer during processing of Network Access traffic, mapped to [CWE-121] Stack-based Buffer Overflow. F5 has not disclosed the specific protocol field or parser that triggers the overflow. Because the overrun corrupts TMM stack state, the process aborts under stack-protection enforcement rather than allowing controlled execution, producing the observed denial of service.
Attack Vector
The attack vector is network-based. An attacker reaches the APM virtual server over the same interface used by legitimate Network Access (VPN) clients and submits crafted traffic to the listener. No credentials, prior session, or user action are required. The result is a TMM crash and full data-plane outage until the microkernel is restarted by the host control plane.
No verified proof-of-concept code is available. See the F5 Security Article K000151546 for vendor technical details and fixed version mappings.
Detection Methods for CVE-2025-46405
Indicators of Compromise
- Unexpected TMM process restarts recorded in /var/log/ltm with messages such as tmm exited or Re-starting tmm.
- Core files written under /var/core/ with the tmm prefix following bursts of inbound Network Access traffic.
- Short-lived service outages on APM virtual servers correlating with anomalous client sessions from the public interface.
Detection Strategies
- Monitor BIG-IP system logs and SNMP traps for tmm termination, watchdog restart, and high availability failover events tied to the APM virtual server.
- Correlate APM access logs with TMM restart timestamps to identify the source IP responsible for the triggering traffic.
- Compare the running BIG-IP version against the fixed versions listed in F5 advisory K000151546 to confirm exposure.
Monitoring Recommendations
- Forward BIG-IP ltm, apm, and restjavad logs to a central SIEM and alert on repeated tmm core events within short time windows.
- Track failover frequency on HA pairs hosting APM Network Access; sustained failovers from the same source pattern indicate exploitation attempts.
- Inspect upstream firewall and WAF telemetry for malformed VPN handshake traffic directed at the APM virtual server IP.
How to Mitigate CVE-2025-46405
Immediate Actions Required
- Identify all BIG-IP APM virtual servers with Network Access configured and confirm their software version against F5 advisory K000151546.
- Upgrade affected systems to a fixed release published by F5 for your installed branch.
- Restrict inbound access to APM Network Access virtual servers to known client networks or VPN concentrator front-ends where operationally feasible.
Patch Information
F5 has published fixed software versions in the F5 Security Article K000151546. Apply the upgrade path that matches your current BIG-IP branch. Versions that have reached End of Technical Support are not evaluated and should be migrated to a supported branch.
Workarounds
- If patching is not immediately possible, disable Network Access on the affected APM virtual server until the upgrade can be scheduled.
- Place a network ACL or upstream firewall rule in front of the APM virtual server to limit reachability to trusted source ranges.
- Enable HA monitoring and automated TMM recovery so that any forced termination is followed by rapid service restoration while remediation is in progress.
# Example: identify APM virtual servers with Network Access enabled
tmsh list apm profile connectivity
tmsh list ltm virtual one-line | grep -i apm
# Example: review recent TMM termination events
grep -E 'tmm.*(exited|core|Re-starting)' /var/log/ltm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
