CVE-2025-52585 Overview
CVE-2025-52585 is a denial of service vulnerability affecting F5 BIG-IP products when configured with specific SSL settings. When a BIG-IP LTM Client SSL profile is configured on a virtual server with SSL Forward Proxy enabled and Anonymous Diffie-Hellman (ADH) ciphers enabled, specially crafted requests can cause the Traffic Management Microkernel (TMM) to terminate unexpectedly. This vulnerability represents a significant availability risk for organizations relying on F5 BIG-IP for critical traffic management and application delivery functions.
Critical Impact
Remote attackers can cause denial of service by crashing the TMM process, disrupting traffic management for all services handled by the affected BIG-IP system.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Access Policy Manager
- F5 BIG-IP Advanced Firewall Manager
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Application Security Manager
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP Global Traffic Manager
- F5 BIG-IP Policy Enforcement Manager
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Analytics
- F5 BIG-IP Application Acceleration Manager
- F5 BIG-IP Carrier-Grade NAT
- F5 BIG-IP Domain Name System
- F5 BIG-IP Edge Gateway
- F5 BIG-IP Link Controller
- F5 BIG-IP WebAccelerator
- F5 BIG-IP WebSafe
Discovery Timeline
- August 13, 2025 - CVE-2025-52585 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-52585
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), indicating that the Traffic Management Microkernel (TMM) fails to properly handle certain request conditions when SSL Forward Proxy is enabled with Anonymous Diffie-Hellman ciphers. The TMM is a critical component responsible for processing all network traffic through the BIG-IP system, making its unexpected termination particularly impactful.
The vulnerability can be triggered remotely over the network without authentication, making it accessible to any attacker who can reach the vulnerable virtual server. No user interaction is required for exploitation, and the attack complexity is considered low. While the vulnerability does not result in data compromise or integrity violations, the availability impact is severe as it can take down traffic processing entirely.
Root Cause
The root cause of this vulnerability is a NULL Pointer Dereference (CWE-476) within the TMM's SSL handling code path. When processing SSL connections through a virtual server configured with both SSL Forward Proxy and ADH ciphers, the TMM encounters a condition where it attempts to dereference a NULL pointer. This occurs because ADH cipher suites do not use server certificates, and the code path fails to properly account for this scenario when combined with SSL Forward Proxy functionality. The resulting NULL pointer access causes the TMM process to crash, interrupting all traffic processing on the BIG-IP system.
Attack Vector
The attack is network-based and requires the attacker to send specially crafted SSL/TLS requests to a virtual server that has the vulnerable configuration. The specific attack vector involves:
- Identifying a BIG-IP virtual server with a Client SSL profile configured for SSL Forward Proxy
- The virtual server must have ADH ciphers enabled in its cipher suite configuration
- Sending requests that trigger the vulnerable code path in TMM
The vulnerability exploits the specific combination of SSL Forward Proxy mode with Anonymous Diffie-Hellman ciphers, which is an edge case in SSL/TLS configuration that results in improper handling within the TMM process.
Detection Methods for CVE-2025-52585
Indicators of Compromise
- Unexpected TMM process restarts or crashes visible in /var/log/ltm
- High availability failover events triggered by TMM failures
- Service interruptions affecting traffic through BIG-IP virtual servers
- Repeated SSL connection failures or timeouts from client perspective
- Core dumps generated by TMM in /var/core/ directory
Detection Strategies
- Monitor BIG-IP system logs for TMM crash events using pattern matching for tmm and core dumped messages
- Implement SNMP monitoring for TMM process status and automatic restart events
- Configure alerts on BIG-IP high availability failover events that may indicate exploitation
- Review SSL connection logs for anomalous patterns targeting virtual servers with ADH ciphers enabled
- Deploy network monitoring to detect unusual SSL/TLS negotiation patterns
Monitoring Recommendations
- Enable detailed TMM logging with tmsh modify sys db log.tmm.level value debug during investigation periods
- Configure centralized log collection to capture TMM crash events for correlation analysis
- Implement availability monitoring for critical virtual servers with sub-minute polling intervals
- Set up automated alerting for TMM restarts using iHealth or external monitoring solutions
- Review SSL profile configurations periodically to identify virtual servers with ADH ciphers enabled
How to Mitigate CVE-2025-52585
Immediate Actions Required
- Audit all virtual server configurations to identify those using SSL Forward Proxy with ADH ciphers enabled
- Disable Anonymous Diffie-Hellman (ADH) ciphers on affected virtual servers as a temporary mitigation
- Apply F5-provided patches as soon as they are available for your BIG-IP version
- Ensure high availability configurations are in place to minimize service disruption from potential TMM crashes
- Review firewall rules to limit network access to management interfaces and restrict exposure of vulnerable virtual servers
Patch Information
F5 has released a security advisory addressing this vulnerability. Organizations should consult the F5 Knowledge Base Article K000141436 for specific version information, fixed releases, and detailed remediation guidance. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to supported versions.
Workarounds
- Remove ADH ciphers from Client SSL profiles used with SSL Forward Proxy configurations
- Disable SSL Forward Proxy on affected virtual servers if not operationally required
- Implement network-level access controls to restrict access to vulnerable virtual servers from untrusted networks
- Consider using alternative cipher suites that provide forward secrecy without the ADH vulnerability exposure
- Deploy Web Application Firewall rules to filter potentially malicious SSL/TLS negotiation attempts
# Example: Remove ADH ciphers from a Client SSL profile
tmsh modify ltm profile client-ssl <profile_name> ciphers 'DEFAULT:!ADH:!EXPORT:!LOW:!RC4:!MD5'
# Verify current cipher configuration
tmsh list ltm profile client-ssl <profile_name> ciphers
# Check for virtual servers using SSL Forward Proxy
tmsh list ltm virtual all | grep -A 20 "ssl-forward-proxy"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
