CVE-2025-54479 Overview
CVE-2025-54479 is a high-severity Denial of Service vulnerability affecting F5 BIG-IP products. When a classification profile is configured on a virtual server without an accompanying HTTP or HTTP/2 profile, specially crafted requests can cause the Traffic Management Microkernel (TMM) to terminate unexpectedly. This vulnerability is classified as CWE-787 (Out-of-Bounds Write), indicating that the underlying issue involves memory corruption when processing malformed requests under specific configuration conditions.
The TMM is a critical component responsible for processing all load-balanced traffic in F5 BIG-IP deployments. Its termination directly results in service disruption and potential complete loss of traffic handling capabilities for affected virtual servers.
Critical Impact
Unauthenticated remote attackers can cause a complete denial of service by crashing the Traffic Management Microkernel, disrupting traffic processing for all services relying on the affected virtual server configuration.
Affected Products
- F5 BIG-IP Next Cloud-Native Network Functions (versions 2.0.0, 2.0.1, 2.0.2, 2.1.0)
- F5 BIG-IP Next for Kubernetes (versions 2.0.0, 2.1.0)
- F5 BIG-IP Policy Enforcement Manager (version 17.5.0 and other affected versions)
Discovery Timeline
- October 15, 2025 - CVE-2025-54479 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-54479
Vulnerability Analysis
This vulnerability stems from an out-of-bounds write condition (CWE-787) in the F5 BIG-IP Traffic Management Microkernel. The flaw occurs when a classification profile is attached to a virtual server that lacks a properly configured HTTP or HTTP/2 profile. Under these specific configuration conditions, the TMM fails to properly validate or handle incoming request data, leading to memory corruption.
The vulnerability is remotely exploitable over the network without requiring authentication or user interaction. An attacker can trigger the condition by sending specially crafted requests to an affected virtual server, causing the TMM process to crash. Since the TMM handles all traffic processing for F5 BIG-IP devices, its termination results in immediate service disruption.
Root Cause
The root cause is an out-of-bounds write vulnerability in the TMM's request processing logic. When a classification profile is present without the expected HTTP/HTTP/2 profile context, the TMM attempts to process incoming requests using code paths that make assumptions about data structures or buffers that may not be properly initialized or sized. This leads to writes beyond allocated memory boundaries, corrupting memory and causing process termination.
The configuration-dependent nature of this vulnerability suggests that certain initialization routines or data structures associated with HTTP profile processing are required for safe handling of requests when classification profiles are active.
Attack Vector
The attack vector is network-based and requires no authentication or privileges. An attacker can exploit this vulnerability by:
- Identifying F5 BIG-IP virtual servers configured with classification profiles but lacking HTTP/HTTP/2 profiles
- Sending crafted network requests to the target virtual server
- Triggering the out-of-bounds write condition in the TMM
- Causing the TMM to crash and interrupt all traffic processing
The vulnerability manifests in the request processing logic of the Traffic Management Microkernel when specific configuration conditions are met. Technical details regarding the exact malformed request structure have not been publicly disclosed. Refer to the F5 Knowledge Base Article K000151475 for vendor-specific technical information.
Detection Methods for CVE-2025-54479
Indicators of Compromise
- Unexpected TMM process crashes or restarts in F5 BIG-IP system logs
- Service interruptions on virtual servers configured with classification profiles
- Core dump files generated by TMM process terminations
- Repeated connection failures to BIG-IP managed services
Detection Strategies
- Monitor F5 BIG-IP system logs for TMM crash events or restart notifications
- Audit virtual server configurations to identify instances where classification profiles are configured without HTTP/HTTP/2 profiles
- Implement alerting for unusual traffic patterns targeting virtual servers with potentially vulnerable configurations
- Review core dump analysis for evidence of out-of-bounds write memory corruption
Monitoring Recommendations
- Enable enhanced logging for TMM process health and stability metrics
- Configure SNMP traps or syslog alerts for TMM failover or restart events
- Implement network traffic monitoring to detect anomalous request patterns targeting BIG-IP virtual servers
- Establish baseline TMM performance metrics to identify deviation patterns
How to Mitigate CVE-2025-54479
Immediate Actions Required
- Review all virtual server configurations to identify classification profiles configured without HTTP or HTTP/2 profiles
- Add appropriate HTTP or HTTP/2 profiles to virtual servers that use classification profiles
- Apply F5 security patches as described in the vendor advisory
- Consider implementing temporary access restrictions to affected virtual servers if patching is delayed
Patch Information
F5 has released security patches addressing this vulnerability. Administrators should consult the F5 Knowledge Base Article K000151475 for specific patch versions and upgrade instructions. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to supported versions.
Workarounds
- Ensure all virtual servers with classification profiles have an HTTP or HTTP/2 profile configured
- Remove classification profiles from virtual servers where HTTP/HTTP/2 profiles cannot be applied
- Implement network-level access controls to limit exposure of potentially vulnerable configurations
- Consider using F5 iRules or access policies to filter potentially malicious requests as an interim measure
# Configuration verification example
# List virtual servers with classification profiles to audit HTTP profile assignments
tmsh list ltm virtual all | grep -A 20 "classification"
# Verify HTTP profile is attached to virtual server
tmsh list ltm virtual <virtual_server_name> profiles
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
