CVE-2025-55669 Overview
CVE-2025-55669 is a Denial of Service vulnerability affecting F5 BIG-IP Advanced WAF and ASM deployments. When a security policy and a server-side HTTP/2 profile are configured on a virtual server, specially crafted undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate unexpectedly. This vulnerability allows remote attackers to disrupt service availability without requiring authentication or user interaction.
The TMM is a critical component of the BIG-IP system responsible for processing all application traffic. Its termination results in immediate service disruption for all traffic passing through the affected virtual server, potentially impacting business-critical applications protected by the WAF.
Critical Impact
Remote unauthenticated attackers can crash the Traffic Management Microkernel, causing complete service disruption for applications protected by BIG-IP Advanced WAF and ASM configurations using server-side HTTP/2 profiles.
Affected Products
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP Advanced WAF (Web Application Firewall)
- Virtual servers with server-side HTTP/2 profile configurations
Discovery Timeline
- October 15, 2025 - CVE-2025-55669 published to NVD
- October 22, 2025 - Last updated in NVD database
Technical Details for CVE-2025-55669
Vulnerability Analysis
This vulnerability is classified under CWE-672 (Operation on a Resource after Expiration or Release), indicating that the TMM component attempts to perform operations on resources that have already been released or are no longer valid during HTTP/2 traffic processing. The network-accessible attack vector combined with no required authentication makes this vulnerability particularly dangerous for internet-facing deployments.
The vulnerability specifically manifests when both a BIG-IP Advanced WAF or ASM security policy AND a server-side HTTP/2 profile are configured on the same virtual server. This combination creates a condition where certain traffic patterns can trigger resource handling errors within the TMM process.
Root Cause
The root cause stems from improper resource lifecycle management (CWE-672) within the TMM when processing HTTP/2 traffic in conjunction with WAF/ASM security policy evaluation. When specific traffic conditions are met, the TMM attempts to operate on resources that have already been released, leading to memory corruption or access violations that cause the microkernel to terminate.
This type of vulnerability typically occurs when asynchronous processing or complex state management fails to properly track resource validity across different execution paths. In the context of HTTP/2's multiplexed stream handling combined with WAF policy evaluation, race conditions or improper cleanup sequences can leave dangling references to freed resources.
Attack Vector
The attack is network-based and can be executed remotely without any authentication or user interaction. An attacker needs to send specially crafted traffic to a virtual server configured with both:
- A BIG-IP Advanced WAF or ASM security policy
- A server-side HTTP/2 profile
The specific traffic patterns that trigger the vulnerability have not been publicly disclosed by F5, which helps prevent widespread exploitation. However, the combination of low attack complexity and no required privileges means that once the trigger conditions are understood, exploitation becomes trivial for any network-accessible attacker.
The vulnerability does not allow for data confidentiality or integrity impact—its sole effect is availability disruption through service termination.
Detection Methods for CVE-2025-55669
Indicators of Compromise
- Unexpected TMM process restarts or crashes in BIG-IP system logs
- Frequent tmm core dumps appearing in /var/log/ directories
- Service interruptions correlating with spikes in HTTP/2 traffic
- Multiple 01010025:3: TMM restart required log entries within short time periods
Detection Strategies
- Monitor BIG-IP system logs for TMM termination events using tmsh show /sys log ltm
- Implement alerting on repeated TMM restart patterns indicative of exploitation attempts
- Review HTTP/2 traffic patterns for anomalous connection behaviors preceding crashes
- Deploy network monitoring to identify unusual traffic spikes targeting affected virtual servers
Monitoring Recommendations
- Enable detailed logging for virtual servers with server-side HTTP/2 profiles
- Configure SNMP traps for TMM health status changes
- Implement real-time dashboards monitoring TMM process stability metrics
- Set up automated alerts when TMM restart frequency exceeds baseline thresholds
How to Mitigate CVE-2025-55669
Immediate Actions Required
- Review all virtual servers to identify those with both WAF/ASM security policies and server-side HTTP/2 profiles
- Consult the F5 Technical Article K000150752 for version-specific patch availability
- Prioritize patching for internet-facing BIG-IP deployments with the affected configuration
- Consider temporarily removing server-side HTTP/2 profiles if immediate patching is not possible
Patch Information
F5 has released security updates to address this vulnerability. Administrators should consult F5 Technical Article K000150752 for detailed information about affected versions and available patches. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to supported versions.
Organizations should prioritize upgrading BIG-IP systems to the latest available fixed versions as documented in the F5 security advisory. The vendor advisory contains specific version numbers and hotfix availability based on the current BIG-IP release branch.
Workarounds
- Remove the server-side HTTP/2 profile from affected virtual servers if HTTP/2 to backend servers is not required
- Implement rate limiting on traffic to affected virtual servers to reduce attack surface
- Deploy additional network-layer filtering to restrict access to BIG-IP management and virtual server interfaces
- Consider using client-side HTTP/2 only configurations while maintaining HTTP/1.1 to backend servers as an interim measure
# Check for affected configuration (virtual servers with HTTP/2 server-side profile and WAF policy)
tmsh list ltm virtual all-properties | grep -A 20 "virtual" | grep -E "(profiles|asm|http2)"
# List all HTTP/2 profiles to identify server-side configurations
tmsh list ltm profile http2
# Review ASM policy assignments
tmsh list asm policy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
