CVE-2025-58096 Overview
CVE-2025-58096 is an out-of-bounds write vulnerability (CWE-787) affecting F5 BIG-IP systems. When the database variable tm.tcpudptxchecksum is configured with the non-default value "Software-only," undisclosed network traffic can cause the Traffic Management Microkernel (TMM) to terminate unexpectedly. This vulnerability poses a significant denial of service risk to organizations relying on BIG-IP for critical traffic management and application delivery.
Critical Impact
Exploitation of this vulnerability can cause the TMM process to crash, resulting in a denial of service condition that disrupts all traffic processing through the affected BIG-IP system.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP Analytics
- F5 BIG-IP Application Acceleration Manager
- F5 BIG-IP Application Visibility and Reporting
- F5 BIG-IP Automation Toolchain
- F5 BIG-IP Carrier-Grade NAT
- F5 BIG-IP Container Ingress Services
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Domain Name System
- F5 BIG-IP Edge Gateway
- F5 BIG-IP Fraud Protection Service
- F5 BIG-IP Global Traffic Manager (GTM)
- F5 BIG-IP Link Controller
- F5 BIG-IP Policy Enforcement Manager
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP WebAccelerator
- F5 BIG-IP WebSafe
Discovery Timeline
- October 15, 2025 - CVE-2025-58096 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-58096
Vulnerability Analysis
This vulnerability is classified as an out-of-bounds write (CWE-787) in the F5 BIG-IP Traffic Management Microkernel (TMM). The TMM is the core data plane component responsible for processing all network traffic through the BIG-IP system, handling load balancing, SSL termination, and application delivery functions.
The vulnerability is triggered when specific traffic patterns are processed by a BIG-IP system that has been configured with the non-default tm.tcpudptxchecksum database variable set to "Software-only." Under normal operation, TCP/UDP checksum calculations may be offloaded to hardware. When forced to software-only mode, certain traffic characteristics cause an out-of-bounds memory write condition within the TMM process.
The out-of-bounds write results in TMM process termination rather than memory corruption that could lead to code execution, making this primarily a denial of service vulnerability. However, given TMM's critical role in traffic processing, its termination immediately impacts all application traffic flowing through the BIG-IP device.
Root Cause
The root cause lies in improper bounds checking within the TMM's software-based TCP/UDP checksum calculation routines. When the tm.tcpudptxchecksum variable is set to "Software-only," the TMM uses a different code path for checksum operations that contains insufficient validation of packet data boundaries. Malformed or specially crafted traffic can cause the process to write beyond allocated memory regions, triggering a crash.
Attack Vector
The attack vector is network-based and does not require authentication or user interaction. An attacker can exploit this vulnerability by sending crafted network traffic to a BIG-IP system configured with the vulnerable setting. The attack conditions require:
- The target BIG-IP system must have the tm.tcpudptxchecksum database variable set to "Software-only" (non-default configuration)
- The attacker must be able to send network traffic that will be processed by the TMM
Since this is a non-default configuration, the exposure is limited to environments where administrators have explicitly changed this setting. The attacker does not need to authenticate to the BIG-IP management interface—only network-level access to send traffic through the device is required.
Detection Methods for CVE-2025-58096
Indicators of Compromise
- Unexpected TMM process restarts visible in /var/log/ltm log files
- Core dump files generated in /var/core/ directory indicating TMM crashes
- High availability (HA) failover events triggered by TMM failures
- Increased tmm_total_restarts counter in system statistics
Detection Strategies
- Monitor BIG-IP system logs for TMM process termination events using SNMP traps or syslog forwarding
- Implement alerting on HA failover events that may indicate exploitation attempts
- Review BIG-IP configuration to identify systems with tm.tcpudptxchecksum set to "Software-only"
- Deploy network monitoring to detect unusual traffic patterns targeting BIG-IP virtual servers
Monitoring Recommendations
- Configure centralized log collection for all BIG-IP devices to correlate TMM crash events
- Set up real-time alerting for TMM restart events using F5 iHealth or third-party SIEM solutions
- Establish baseline metrics for TMM stability and alert on deviations from normal behavior
How to Mitigate CVE-2025-58096
Immediate Actions Required
- Verify the tm.tcpudptxchecksum database variable configuration on all BIG-IP systems using the command tmsh list sys db tm.tcpudptxchecksum
- If set to "Software-only," evaluate whether this configuration is operationally necessary
- Apply vendor patches as they become available from F5
- Implement network access controls to limit traffic sources reaching vulnerable BIG-IP systems
Patch Information
F5 has published a security advisory addressing this vulnerability. Organizations should consult the F5 Security Advisory K000156691 for specific patch versions and update guidance. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to supported versions.
Workarounds
- Reset the tm.tcpudptxchecksum database variable to its default value if software-only checksum mode is not required for your environment
- Implement network segmentation to restrict traffic sources that can reach BIG-IP virtual servers
- Enable BIG-IP HA configurations to minimize service disruption during potential TMM restarts
- Consider temporarily routing traffic through alternate infrastructure while applying patches
# Check current tm.tcpudptxchecksum configuration
tmsh list sys db tm.tcpudptxchecksum
# Reset to default value (if software-only mode is not required)
tmsh modify sys db tm.tcpudptxchecksum value default
# Save configuration
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
