CVE-2025-53474 Overview
CVE-2025-53474 is a denial of service vulnerability affecting F5 BIG-IP products when an iRule using an ILX::call command is configured on a virtual server. When exploited, undisclosed traffic patterns can cause the Traffic Management Microkernel (TMM) to terminate unexpectedly, resulting in service disruption. The TMM is a critical component responsible for handling all network traffic passing through BIG-IP devices, making this vulnerability particularly impactful for organizations relying on these appliances for application delivery and security.
Critical Impact
Successful exploitation causes TMM termination, leading to complete traffic processing failure and potential service outages for all applications behind the affected BIG-IP device.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP Advanced Web Application Firewall (AWAF)
- F5 BIG-IP Domain Name System (DNS)
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP Analytics
- F5 BIG-IP Application Acceleration Manager (AAM)
- F5 BIG-IP Application Visibility and Reporting (AVR)
- F5 BIG-IP Carrier-Grade NAT (CGNAT)
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Edge Gateway
- F5 BIG-IP Fraud Protection Service
- F5 BIG-IP Global Traffic Manager (GTM)
- F5 BIG-IP Link Controller
- F5 BIG-IP Policy Enforcement Manager (PEM)
- F5 BIG-IP WebAccelerator
- F5 BIG-IP WebSafe
- F5 BIG-IP Automation Toolchain
- F5 BIG-IP Container Ingress Services
Discovery Timeline
- October 15, 2025 - CVE-2025-53474 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-53474
Vulnerability Analysis
This vulnerability is classified under CWE-120 (Buffer Copy without Checking Size of Input), commonly known as a buffer overflow vulnerability. The issue exists within the Traffic Management Microkernel (TMM) component of F5 BIG-IP devices. The TMM is the data plane process responsible for processing all traffic that passes through the BIG-IP system.
When an iRule containing the ILX::call command is attached to a virtual server, certain traffic patterns can trigger improper memory handling within TMM. The ILX::call command is used to invoke Node.js functions from within iRules, enabling custom application logic through the iRules Language eXtension (ILX) framework. The vulnerability appears to manifest when processing specific, undisclosed traffic that interacts with the ILX subsystem, causing memory corruption that results in TMM process termination.
The exploitation requires no authentication and can be triggered remotely over the network. An attacker does not need any privileges or user interaction to exploit this vulnerability, making it a significant threat to exposed BIG-IP deployments that utilize ILX functionality.
Root Cause
The root cause is a buffer overflow condition (CWE-120) in the TMM process when handling traffic destined for virtual servers with iRules configured to use the ILX::call command. The vulnerability occurs due to insufficient bounds checking when processing input data, allowing specially crafted traffic to overflow memory buffers and cause TMM to crash. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.
Attack Vector
The attack vector is network-based, requiring an attacker to send specifically crafted traffic to a BIG-IP virtual server configured with an iRule that uses the ILX::call command. The attack can be performed remotely without authentication, and no user interaction is required.
The exploitation scenario involves:
- Identifying a BIG-IP device with a virtual server utilizing ILX functionality
- Crafting network traffic that triggers the buffer overflow condition
- Sending the malicious traffic to the target virtual server
- TMM processes the traffic and encounters the overflow, causing termination
- Traffic processing halts until TMM restarts, causing service disruption
Since the specific traffic pattern required to trigger the vulnerability is undisclosed, detailed exploitation code is not publicly available. Organizations should refer to the F5 Security Article K44517780 for technical details and recommended mitigations.
Detection Methods for CVE-2025-53474
Indicators of Compromise
- Unexpected TMM process restarts in /var/log/ltm logs
- Core dump files generated by TMM crashes in /var/core/
- Elevated or unusual traffic patterns targeting virtual servers with ILX iRules
- Service interruptions correlated with specific traffic flows
Detection Strategies
- Monitor for TMM restart events using log analysis and alerting on the message pattern "tmm.*restart" in system logs
- Implement network traffic analysis to identify anomalous patterns targeting BIG-IP virtual servers
- Configure SNMP traps or syslog alerts for TMM process state changes
- Review iRule configurations to identify virtual servers using ILX::call commands that may be vulnerable
Monitoring Recommendations
- Enable enhanced logging for TMM events and forward logs to a centralized SIEM solution
- Configure BIG-IP high availability (HA) failover alerting to detect unplanned failover events
- Implement real-time monitoring of TMM process health using F5 iHealth or similar tools
- Set up automated alerts for core dump generation on BIG-IP devices
How to Mitigate CVE-2025-53474
Immediate Actions Required
- Review all iRule configurations to identify virtual servers using ILX::call commands
- Evaluate whether ILX functionality is essential for business operations; disable if not required
- Apply vendor-provided patches or hotfixes as soon as they become available
- Implement network segmentation to limit exposure of BIG-IP management and data plane interfaces
Patch Information
F5 has published security guidance for this vulnerability. Organizations should consult the F5 Security Article K44517780 for specific patch versions and remediation instructions. Ensure all BIG-IP devices are running supported software versions, as products that have reached End of Technical Support (EoTS) are not evaluated or patched.
Workarounds
- Temporarily remove or disable iRules containing ILX::call commands until patches can be applied
- Implement rate limiting on virtual servers to reduce the impact of potential exploitation attempts
- Configure BIG-IP device mirroring or HA pairs to minimize service disruption during TMM restarts
- Use external web application firewalls or intrusion prevention systems to filter potentially malicious traffic
# Example: List iRules using ILX::call commands
tmsh list ltm rule | grep -B5 "ILX::call"
# Example: Disable a specific iRule temporarily
tmsh modify ltm virtual <virtual_server_name> rules none
# Example: Monitor TMM restarts in real-time
tail -f /var/log/ltm | grep -i "tmm"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
