CVE-2025-58424 Overview
CVE-2025-58424 affects F5 BIG-IP systems processing traffic in protocols that lack message integrity protection. Undisclosed traffic conditions can trigger data corruption and unauthorized data modification on the affected appliance. The flaw is classified under CWE-340 (Generation of Predictable Numbers or Identifiers) and is reachable over the network without authentication or user interaction. F5 notes that software versions which have reached End of Technical Support (EoTS) were not evaluated for this issue.
Critical Impact
Network-adjacent attackers can cause unauthorized modification of data traversing BIG-IP for protocols without built-in integrity checks, undermining trust in proxied traffic.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM), Access Policy Manager (APM), Advanced WAF, and Application Security Manager (ASM)
- F5 BIG-IP Advanced Firewall Manager (AFM), DDoS Hybrid Defender, Carrier-Grade NAT, and Policy Enforcement Manager (PEM)
- F5 BIG-IP DNS, Global Traffic Manager (GTM), Link Controller, SSL Orchestrator, WebAccelerator, Analytics, AAM, AVR, Container Ingress Services, Edge Gateway, Fraud Protection Service, WebSafe, and Automation Toolchain
Discovery Timeline
- 2025-10-15 - CVE-2025-58424 published to the National Vulnerability Database
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2025-58424
Vulnerability Analysis
The issue resides in how BIG-IP handles traffic for protocols that do not enforce message integrity protection. When an attacker injects or manipulates undisclosed traffic, the affected system processes the data without verifying that the payload remains unaltered. The result is silent data corruption or unauthorized data modification in flight.
Because BIG-IP is typically deployed as a network-facing application delivery controller, the integrity loss propagates to backend applications and clients that rely on the appliance to terminate and forward traffic. Workloads that depend on protocols without built-in cryptographic integrity, such as plaintext DNS, unauthenticated UDP services, or legacy management protocols, are most exposed.
Root Cause
[CWE-340] points to predictable identifier or value generation. In this context, the weakness allows attacker-influenced traffic to be accepted or transformed without integrity validation. Without a message authentication code, sequence enforcement, or equivalent control, BIG-IP cannot reliably distinguish authentic traffic from forged or modified packets.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker positioned to send traffic to a BIG-IP virtual server, or capable of injecting traffic on a path BIG-IP processes, can trigger the data integrity impact. Confidentiality and availability are not affected, but integrity of forwarded data is.
No proof-of-concept exploit is publicly available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the F5 Security Article K000151297 for vendor-specific technical context and affected version matrices.
Detection Methods for CVE-2025-58424
Indicators of Compromise
- Unexpected modification of application payloads observed by backend servers when traffic is proxied through BIG-IP virtual servers handling non-integrity-protected protocols.
- Anomalous DNS, UDP, or plaintext protocol responses inconsistent with origin server logs.
- Spikes in malformed or unusually structured packets directed at BIG-IP listeners.
Detection Strategies
- Compare request and response payload hashes between BIG-IP ingress and backend egress to detect tampering of in-flight traffic.
- Enable verbose BIG-IP logging for affected virtual servers and forward logs to a centralized analytics platform for correlation.
- Audit BIG-IP virtual server configurations to enumerate any listener bound to protocols without TLS or message authentication.
Monitoring Recommendations
- Monitor F5 advisory channels and subscribe to updates for K000151297 to track patched version availability.
- Alert on unauthenticated protocol use traversing BIG-IP, including plaintext HTTP, DNS without DNSSEC, and legacy UDP services.
- Track outbound integrity errors reported by downstream applications that consume BIG-IP-proxied traffic.
How to Mitigate CVE-2025-58424
Immediate Actions Required
- Inventory all BIG-IP modules in use and confirm which virtual servers handle protocols without message integrity protection.
- Apply the fixed software versions listed in F5 Security Article K000151297 as soon as they are validated in a test environment.
- Retire or upgrade any BIG-IP instance running an End of Technical Support release, since these versions are not evaluated by F5.
Patch Information
F5 publishes fixed software versions and remediation guidance in the vendor advisory K000151297. Administrators should consult the advisory for module-specific upgrade paths covering LTM, APM, AFM, ASM, DNS, SSL Orchestrator, and other affected components.
Workarounds
- Where feasible, migrate affected traffic flows to protocols that provide message integrity, such as TLS-protected variants of the same service.
- Enable DNSSEC, IPsec, or application-layer authentication codes to add integrity verification at higher protocol layers.
- Restrict network reachability to BIG-IP virtual servers using firewall rules and access control lists until the patched release is deployed.
# Configuration example
# Enumerate BIG-IP virtual servers and their profiles to identify non-integrity-protected protocols
tmsh list ltm virtual all-properties | grep -E "destination|profiles|ip-protocol"
# Restrict access to a virtual server with an address-list while remediation is pending
tmsh create security firewall address-list trusted_clients addresses add { 10.0.0.0/8 }
tmsh modify ltm virtual <vs_name> source-address-translation { type automap } \
security-log-profiles add { global-network }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
