CVE-2025-48008 Overview
CVE-2025-48008 is a Use-After-Free vulnerability affecting F5 BIG-IP products when a TCP profile with Multipath TCP (MPTCP) is enabled on a virtual server. When specific undisclosed traffic patterns occur alongside certain environmental conditions, the Traffic Management Microkernel (TMM) can terminate unexpectedly, resulting in a denial of service condition. This vulnerability is particularly concerning for organizations relying on F5 BIG-IP appliances for critical network traffic management and application delivery.
Critical Impact
Exploitation of this vulnerability can cause the TMM to crash, leading to service disruption and potential loss of availability for all applications and services running through the affected BIG-IP device.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Global Traffic Manager (GTM)
- F5 BIG-IP DNS
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP Next Cloud-Native Network Functions
- F5 BIG-IP Next Service Proxy for Kubernetes
Discovery Timeline
- October 15, 2025 - CVE-2025-48008 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-48008
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use-After-Free), a memory corruption vulnerability that occurs when a program continues to use a memory reference after it has been freed. In the context of F5 BIG-IP's Traffic Management Microkernel, this condition can be triggered when processing specific network traffic on virtual servers configured with MPTCP-enabled TCP profiles.
The TMM is the core data plane component of BIG-IP systems responsible for processing all traffic flowing through the device. When the Use-After-Free condition is triggered, the TMM process terminates, causing a disruption to all traffic processing capabilities of the affected BIG-IP device. While the vulnerability requires conditions "beyond the attacker's control," the network-accessible nature of the attack vector means that remote attackers can attempt exploitation without authentication.
Root Cause
The vulnerability stems from improper memory management within the TMM when handling MPTCP (Multipath TCP) connections. MPTCP is a TCP extension that allows multiple TCP subflows to be combined into a single connection, improving throughput and redundancy. The complexity of managing multiple subflows and their associated memory structures creates conditions where memory references may be accessed after deallocation, leading to the Use-After-Free condition.
The root cause appears to be related to race conditions or timing issues in how the TMM handles the lifecycle of MPTCP-related data structures during connection processing, particularly when specific traffic patterns are encountered.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker would need to:
- Identify a target BIG-IP virtual server with MPTCP enabled in its TCP profile
- Send specially crafted or specific traffic patterns to the virtual server
- Wait for environmental conditions (beyond attacker control) to align
While the attacker cannot fully control all conditions required for exploitation, the network accessibility and lack of authentication requirements make this a significant risk for exposed BIG-IP deployments.
The vulnerability mechanism involves the TMM processing MPTCP traffic where memory structures associated with subflows or connection states are freed prematurely while still being referenced by other parts of the processing logic. When the freed memory is subsequently accessed, it can cause memory corruption and process termination. Refer to the F5 Security Advisory for complete technical details.
Detection Methods for CVE-2025-48008
Indicators of Compromise
- Unexpected TMM process restarts or crashes in BIG-IP system logs
- High availability failover events without apparent cause
- Entries in /var/log/ltm indicating TMM core dumps
- Increased frequency of tmm restart events visible via tmsh show sys mcp-state
Detection Strategies
- Monitor BIG-IP system logs for TMM crash events using syslog forwarding to your SIEM
- Configure SNMP traps for TMM process failures and system restarts
- Implement alerting on HA failover events that may indicate TMM instability
- Review qkview diagnostic bundles for patterns of TMM crashes
Monitoring Recommendations
- Enable detailed logging for virtual servers with MPTCP-enabled TCP profiles
- Configure centralized log collection for all BIG-IP devices to correlate potential attack patterns
- Set up availability monitoring for services behind affected BIG-IP virtual servers
- Implement baseline monitoring for TMM memory utilization and process stability
How to Mitigate CVE-2025-48008
Immediate Actions Required
- Review all TCP profiles to identify those with MPTCP enabled using tmsh list ltm profile tcp | grep -A5 mptcp
- Evaluate whether MPTCP is required for your use cases; disable if not operationally necessary
- Apply vendor patches as soon as available from F5
- Implement network segmentation to limit exposure of BIG-IP management and data planes
Patch Information
F5 has published security advisory K000150614 which contains specific version information and patch availability. Organizations should review this advisory for their specific BIG-IP version and apply the appropriate hotfix or upgrade. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to supported versions.
Workarounds
- Disable MPTCP in TCP profiles where it is not required by setting mptcp disabled in the profile configuration
- If MPTCP is required, consider implementing additional network filtering to limit traffic sources to trusted origins
- Deploy redundant BIG-IP devices in HA configuration to maintain availability during potential TMM crashes
- Monitor for and apply F5 engineering hotfixes as they become available
# Disable MPTCP in a TCP profile (workaround configuration)
tmsh modify ltm profile tcp /Common/your-tcp-profile mptcp disabled
tmsh save sys config
# Verify MPTCP status on all TCP profiles
tmsh list ltm profile tcp mptcp | grep -B1 "enabled"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
