CVE-2025-59478 Overview
CVE-2025-59478 is a denial-of-service vulnerability affecting F5 BIG-IP Advanced Firewall Manager (AFM). When a BIG-IP AFM denial-of-service (DoS) protection profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. This vulnerability allows unauthenticated remote attackers to disrupt network traffic processing and availability of protected services.
Critical Impact
Unauthenticated attackers can remotely crash the TMM process, causing service disruption and potential traffic outages for all services managed by the affected BIG-IP device.
Affected Products
- F5 BIG-IP Advanced Firewall Manager (versions prior to patched releases)
- F5 BIG-IP AFM version 17.5.0
- F5 BIG-IP AFM (multiple version ranges - see vendor advisory for details)
Discovery Timeline
- October 15, 2025 - CVE-2025-59478 published to NVD
- October 22, 2025 - Last updated in NVD database
Technical Details for CVE-2025-59478
Vulnerability Analysis
This vulnerability is classified under CWE-824: Access of Uninitialized Pointer. The flaw exists within the Traffic Management Microkernel (TMM) process, which is the core data plane component responsible for processing all traffic through BIG-IP devices. When a DoS protection profile is applied to a virtual server, certain malformed or specially crafted requests can trigger an uninitialized pointer access condition within TMM.
The TMM process is critical to BIG-IP operation—its termination results in immediate traffic disruption. While BIG-IP systems typically include failover mechanisms, exploitation of this vulnerability can cause significant service degradation, especially in environments without high availability configurations or where both members of an HA pair are targeted simultaneously.
Root Cause
The root cause of CVE-2025-59478 is an uninitialized pointer vulnerability (CWE-824) in the TMM process. When processing specific types of requests against a virtual server with an AFM DoS protection profile enabled, the code path accesses a pointer that has not been properly initialized. This results in undefined behavior that causes the TMM process to crash and terminate.
The vulnerability specifically manifests when the DoS protection profile is actively configured, indicating the flaw exists within the DoS mitigation code path rather than standard traffic processing routines.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker needs network access to a virtual server that has an AFM DoS protection profile configured. By sending specially crafted requests to the vulnerable virtual server, the attacker can trigger the uninitialized pointer access and crash the TMM process.
The attack does not require any user interaction and can be launched by any unauthenticated network client with access to the affected virtual server. This makes the vulnerability particularly concerning for internet-facing BIG-IP deployments with DoS protection enabled.
Detection Methods for CVE-2025-59478
Indicators of Compromise
- Unexpected TMM process restarts visible in /var/log/ltm log files
- Core dump files generated in /var/core/ directory related to TMM crashes
- Sudden traffic drops or connection failures for services behind the BIG-IP device
- High-availability failover events without apparent cause
Detection Strategies
- Monitor TMM process stability using tmsh show sys tmm-info and alert on unexpected restarts
- Implement log monitoring for TMM crash events in system logs with pattern matching for core dump generation
- Deploy network anomaly detection to identify unusual request patterns targeting virtual servers with DoS profiles
- Use SentinelOne Singularity to detect and correlate suspicious process termination events across infrastructure
Monitoring Recommendations
- Configure SNMP traps for TMM process health and restart events
- Enable detailed traffic logging on virtual servers with DoS protection profiles to capture request patterns preceding crashes
- Implement real-time alerting for core file generation in /var/core/ directory
- Monitor BIG-IP device availability and failover state transitions
How to Mitigate CVE-2025-59478
Immediate Actions Required
- Review the F5 Security Article K000152341 for specific version information and patches
- Identify all BIG-IP AFM deployments with DoS protection profiles configured on virtual servers
- Plan maintenance windows to apply vendor-provided security updates
- Consider temporarily disabling DoS protection profiles on critical virtual servers until patches are applied (risk assessment required)
Patch Information
F5 has released security updates to address this vulnerability. Administrators should consult the F5 Security Article K000152341 for specific patch versions and upgrade guidance. Software versions that have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable.
Patches should be tested in a staging environment before production deployment. Ensure high-availability configurations are properly maintained during upgrade procedures to minimize service disruption.
Workarounds
- Evaluate whether DoS protection profiles can be temporarily removed from non-critical virtual servers
- Implement network-level access controls to limit which source networks can reach affected virtual servers
- Ensure high-availability configurations are active to provide failover capability during potential exploitation
- Consider deploying additional upstream filtering to reduce attack surface while awaiting patch deployment
# Check if DoS protection profiles are configured on virtual servers
tmsh list ltm virtual | grep -A 10 "dos-profile"
# List all configured DoS profiles
tmsh list security dos profile
# Monitor TMM process status
tmctl -c 0 tmm/stat/global
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
