CVE-2025-58071 Overview
CVE-2025-58071 is a denial of service vulnerability affecting F5 BIG-IP systems when IPsec is configured. When exploited, specially crafted network traffic can cause the Traffic Management Microkernel (TMM) to terminate unexpectedly. The TMM is a critical component responsible for processing all application traffic on BIG-IP systems, making this vulnerability particularly impactful for organizations relying on these devices for network security and application delivery.
This vulnerability is classified under CWE-457 (Use of Uninitialized Variable), indicating that the TMM process fails to properly initialize a variable before use when processing certain IPsec traffic, leading to the crash condition. The vulnerability can be exploited remotely without authentication, making it accessible to unauthenticated attackers on the network.
Critical Impact
Unauthenticated remote attackers can crash the Traffic Management Microkernel (TMM) on F5 BIG-IP systems with IPsec enabled, causing service disruption and potential network outages.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Advanced Web Application Firewall (AWAF)
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP Global Traffic Manager (GTM)
- F5 BIG-IP Domain Name System (DNS)
- F5 BIG-IP Carrier-Grade NAT (CGNAT)
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Policy Enforcement Manager (PEM)
- F5 BIG-IP Next Cloud-Native Network Functions
- F5 BIG-IP Next for Kubernetes
Discovery Timeline
- October 15, 2025 - CVE-2025-58071 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-58071
Vulnerability Analysis
The vulnerability exists in the Traffic Management Microkernel (TMM) component of F5 BIG-IP systems when IPsec is configured. The TMM is responsible for processing all data plane traffic including load balancing, SSL termination, and protocol handling. When the system receives certain undisclosed traffic patterns while IPsec is active, an uninitialized variable condition triggers an unexpected termination of the TMM process.
This denial of service condition can be triggered remotely over the network without requiring any authentication or user interaction. The attack complexity is low, meaning an attacker with basic network access can exploit this vulnerability to disrupt services. The impact is limited to availability—there is no compromise of confidentiality or integrity of data.
When the TMM crashes, all traffic processing through the BIG-IP device is interrupted until the TMM process recovers. In high-availability configurations, this may trigger a failover event. Repeated exploitation could cause sustained service disruption.
Root Cause
The root cause of CVE-2025-58071 is the use of an uninitialized variable (CWE-457) within the TMM's IPsec processing code. When specific traffic conditions are encountered, the TMM attempts to access a variable that has not been properly initialized, leading to undefined behavior and ultimately causing the process to terminate. This type of vulnerability typically occurs when code paths exist that bypass variable initialization routines, or when error handling does not properly account for all states.
Attack Vector
The attack vector for this vulnerability is network-based. An attacker can exploit this vulnerability by sending specially crafted network traffic to a BIG-IP system that has IPsec configured. The specific nature of the traffic that triggers the vulnerability has not been publicly disclosed by F5 to prevent exploitation.
Key characteristics of the attack vector include:
- Network-accessible: The attack can be launched remotely from any system that can send network traffic to the BIG-IP device
- No authentication required: The attacker does not need valid credentials to exploit the vulnerability
- No user interaction: The attack can succeed without any action from administrators or users
- IPsec configuration required: The vulnerability only affects systems where IPsec is enabled and configured
The attack targets the data plane of the BIG-IP system, specifically the IPsec traffic processing functionality within TMM. Organizations using IPsec for site-to-site VPNs or other encrypted communications through their BIG-IP devices are at risk.
Detection Methods for CVE-2025-58071
Indicators of Compromise
- Unexpected TMM process termination events in BIG-IP system logs
- Repeated TMM crash and restart patterns correlating with incoming network traffic
- High-availability failover events triggered by TMM failures without other apparent causes
- Unusual IPsec traffic patterns from external sources prior to service disruption
Detection Strategies
- Monitor BIG-IP system logs for TMM crash events using tmctl or centralized logging solutions
- Configure SNMP traps or monitoring alerts for TMM restart events and HA failover conditions
- Implement network traffic analysis to detect anomalous IPsec traffic patterns targeting BIG-IP management and data interfaces
- Review BIG-IP core dump files when available to identify TMM crash signatures associated with this vulnerability
Monitoring Recommendations
- Enable detailed logging for TMM events and forward logs to a SIEM for correlation analysis
- Set up automated alerting for TMM availability metrics and unexpected process restarts
- Monitor high-availability cluster status for unplanned failover events that may indicate exploitation attempts
- Track IPsec tunnel statistics and anomalies that could indicate reconnaissance or attack activity
How to Mitigate CVE-2025-58071
Immediate Actions Required
- Review your BIG-IP infrastructure to identify all systems with IPsec configurations
- Apply the security patches provided by F5 as soon as they are available for your version
- Consider temporarily disabling IPsec functionality if not business-critical until patching is complete
- Implement network access controls to restrict which systems can send IPsec traffic to affected BIG-IP devices
Patch Information
F5 has released security updates to address this vulnerability. Organizations should consult the F5 Security Advisory K000156746 for detailed information about affected versions and available patches.
Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability. Organizations running EoTS versions should prioritize upgrading to supported releases.
Affected version branches include multiple releases across the BIG-IP product family, including version 17.5.0 and the BIG-IP Next product line. Refer to the F5 advisory for the complete list of affected and fixed versions.
Workarounds
- Restrict network access to BIG-IP IPsec interfaces using firewall rules or access control lists to trusted sources only
- Evaluate whether IPsec functionality can be temporarily disabled or moved to alternative infrastructure while awaiting patches
- Implement rate limiting on IPsec traffic where possible to reduce the potential impact of exploitation attempts
- Deploy network-based intrusion detection systems to identify and alert on suspicious traffic patterns targeting BIG-IP devices
# Example: Check if IPsec is configured on BIG-IP
tmsh list net ipsec
# Example: Review TMM logs for crash events
cat /var/log/ltm | grep -i "tmm" | grep -i "crash\|restart\|terminated"
# Example: Monitor TMM process status
tmctl -c tmm/stat
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
