CVE-2025-55036 Overview
CVE-2025-55036 is a memory corruption vulnerability in F5 BIG-IP SSL Orchestrator. The flaw triggers when an explicit forward proxy is configured on a virtual server with the proxy connect feature enabled. Undisclosed traffic processed through this configuration can corrupt memory within the affected service.
The issue is classified under CWE-787 (Out-of-bounds Write). F5 has not disclosed the specific traffic patterns that trigger the condition. Software versions that have reached End of Technical Support (EoTS) were not evaluated by the vendor.
Critical Impact
Network-adjacent attackers can send crafted traffic to corrupt memory in BIG-IP SSL Orchestrator, leading to denial of service against availability of the proxy service.
Affected Products
- F5 BIG-IP SSL Orchestrator (versions evaluated per F5 advisory K000151368)
- BIG-IP SSL Orchestrator deployments with explicit forward proxy on a virtual server
- BIG-IP SSL Orchestrator instances with the proxy connect feature enabled
Discovery Timeline
- 2025-10-15 - CVE-2025-55036 published to NVD
- 2025-10-21 - Last updated in NVD database
Technical Details for CVE-2025-55036
Vulnerability Analysis
The vulnerability resides in the traffic handling path of BIG-IP SSL Orchestrator when it operates as an explicit forward proxy. SSL Orchestrator decrypts, inspects, and re-encrypts TLS traffic between clients and external destinations. The explicit forward proxy mode requires clients to direct HTTP CONNECT requests to the BIG-IP virtual server.
When the proxy connect feature is enabled, the data path processes CONNECT method traffic and tunnels subsequent payloads. F5 has identified that specific undisclosed traffic patterns trigger an out-of-bounds write condition during this processing. The memory corruption affects the availability of the service.
Root Cause
The root cause is an out-of-bounds write [CWE-787] in the proxy connect traffic handler. The handler writes data beyond the allocated buffer boundary when parsing or relaying particular traffic structures. F5 has not published the exact code paths or input conditions to limit exploit development.
Attack Vector
The attack requires network access to a vulnerable virtual server with explicit forward proxy and proxy connect both active. No authentication or user interaction is required. An attacker sends crafted traffic through the proxy listener to trigger the corruption.
The impact is confined to availability of the BIG-IP SSL Orchestrator service. The CVSS vector indicates no confidentiality or integrity impact, and no scope change to other components. Exploitation typically results in service disruption rather than code execution.
No public proof-of-concept exists for CVE-2025-55036 at the time of publication. See the F5 Security Advisory K000151368 for vendor-confirmed technical details.
Detection Methods for CVE-2025-55036
Indicators of Compromise
- Unexpected restarts or crashes of the Traffic Management Microkernel (TMM) process on BIG-IP devices running SSL Orchestrator
- Core dump files generated in /var/savecore/ or /shared/core/ correlated with proxy connect traffic
- Sudden loss of availability on virtual servers configured for explicit forward proxy
- Anomalous HTTP CONNECT request patterns directed at the SSL Orchestrator listener
Detection Strategies
- Monitor BIG-IP /var/log/ltm and /var/log/tmm for segmentation faults, assertion failures, or TMM restart events.
- Correlate proxy connect traffic spikes with TMM service availability metrics to surface trigger events.
- Apply network detection rules that flag malformed or oversized HTTP CONNECT headers reaching the proxy listener.
Monitoring Recommendations
- Forward BIG-IP system and TMM logs to a centralized log platform for retention and correlation analysis.
- Track virtual server availability and TMM restart counters through SNMP or the iControl REST API.
- Baseline normal CONNECT request rates and alert on deviations toward SSL Orchestrator virtual servers.
How to Mitigate CVE-2025-55036
Immediate Actions Required
- Identify all BIG-IP devices running SSL Orchestrator with explicit forward proxy and the proxy connect feature enabled.
- Apply the fixed software version listed in F5 Security Advisory K000151368 for your branch.
- Restrict network access to affected virtual servers to trusted client subnets until patches are applied.
- Verify that End of Technical Support (EoTS) versions are scheduled for upgrade, since F5 does not evaluate those releases.
Patch Information
F5 has published fixed versions and remediation guidance in F5 Security Advisory K000151368. Administrators should consult the advisory to identify the patched build that corresponds to their current BIG-IP branch and upgrade affected systems accordingly.
Workarounds
- Disable the proxy connect feature on SSL Orchestrator virtual servers where it is not strictly required.
- Reconfigure SSL Orchestrator to use transparent forward proxy instead of explicit forward proxy where supported by the deployment.
- Apply access control lists or iRules to restrict the source addresses permitted to issue HTTP CONNECT through the proxy listener.
# Configuration example: disable proxy connect on an SSL Orchestrator virtual server
# Replace <vs_name> with the affected virtual server
tmsh modify ltm virtual <vs_name> profiles delete { proxy-connect }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
