CVE-2025-61951 Overview
CVE-2025-61951 is a high-severity Denial of Service vulnerability affecting the F5 BIG-IP Traffic Management Microkernel (TMM). When specific DTLS 1.2 configurations are present, undisclosed network traffic can cause the TMM process to terminate unexpectedly, resulting in service disruption for all traffic passing through the affected BIG-IP system.
The vulnerability is triggered when a DTLS 1.2 virtual server is configured with a Server SSL profile containing a certificate, key, and the SSL Sign Hash set to ANY, while the backend server has DTLS 1.2 enabled with client authentication. This specific configuration combination creates a condition where malformed or unexpected traffic can crash the TMM process.
Critical Impact
Successful exploitation causes Traffic Management Microkernel (TMM) termination, resulting in complete disruption of all traffic processing through the BIG-IP system. This can lead to service outages for critical enterprise applications and infrastructure.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Advanced Web Application Firewall (AWAF)
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP Global Traffic Manager (GTM)
- F5 BIG-IP Domain Name System (DNS)
- F5 BIG-IP Analytics
- F5 BIG-IP Application Acceleration Manager (AAM)
- F5 BIG-IP Application Visibility and Reporting (AVR)
- F5 BIG-IP Carrier-Grade NAT (CGNAT)
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Edge Gateway
- F5 BIG-IP Fraud Protection Service (FPS)
- F5 BIG-IP Link Controller
- F5 BIG-IP Policy Enforcement Manager (PEM)
- F5 BIG-IP WebAccelerator
- F5 BIG-IP WebSafe
- F5 BIG-IP Container Ingress Services
- F5 BIG-IP Automation Toolchain
Discovery Timeline
- October 15, 2025 - CVE-2025-61951 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-61951
Vulnerability Analysis
This vulnerability is classified under CWE-125 (Out-of-Bounds Read), indicating that the TMM process attempts to read data from a memory location outside the bounds of an allocated buffer during DTLS 1.2 handshake processing. When the specific configuration conditions are met, the TMM fails to properly validate incoming DTLS traffic before processing, leading to an out-of-bounds memory read operation.
The TMM is the data plane component of F5 BIG-IP systems responsible for processing all Layer 4-7 traffic. When TMM terminates, traffic processing stops completely until the process restarts, creating a window of service unavailability. In high-availability configurations, this can trigger failover events, while standalone deployments experience complete traffic blackouts.
Root Cause
The root cause stems from improper bounds checking in the DTLS 1.2 handshake processing logic within TMM. When the Server SSL profile is configured with SSL Sign Hash set to ANY and the backend server requires client authentication, the TMM encounters an edge case where it reads beyond allocated memory boundaries while processing DTLS records. This out-of-bounds read results in process termination rather than graceful error handling.
The vulnerability is configuration-dependent, requiring the specific combination of:
- DTLS 1.2 virtual server enabled
- Server SSL profile with certificate and key
- SSL Sign Hash set to ANY
- Backend server with DTLS 1.2 and client authentication enabled
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can send crafted network traffic to a vulnerable DTLS 1.2 virtual server from any network location that can reach the BIG-IP system. The attack exploits the DTLS protocol handling path, targeting the specific configuration combination that triggers the out-of-bounds read condition.
The vulnerability affects the availability of the system without impacting confidentiality or integrity. Upon successful exploitation, the TMM process crashes, disrupting all traffic flows through the affected BIG-IP device until the process automatically restarts or manual intervention occurs.
Detection Methods for CVE-2025-61951
Indicators of Compromise
- TMM process crash events logged in /var/log/ltm with references to DTLS handshake failures
- Unexpected failover events in BIG-IP high-availability pairs without other apparent cause
- Core dumps generated in /var/core/ directory associated with TMM process termination
- Repeated TMM restarts visible in system logs correlating with DTLS traffic patterns
Detection Strategies
- Monitor F5 BIG-IP system logs for TMM termination events using log aggregation solutions
- Configure SNMP traps or syslog forwarding for TMM process state changes
- Implement network traffic analysis to detect anomalous DTLS traffic patterns targeting BIG-IP virtual servers
- Review BIG-IP configuration to identify systems with vulnerable DTLS 1.2 configurations using tmsh list ltm virtual and tmsh list ltm profile server-ssl
Monitoring Recommendations
- Enable BIG-IP system health monitoring with automated alerting for TMM process status
- Configure SentinelOne to monitor F5 BIG-IP management interfaces for configuration changes and system events
- Implement network-level monitoring for unusual traffic volumes or patterns targeting DTLS ports (typically UDP 443 or custom ports)
- Set up availability monitoring for applications behind affected BIG-IP systems to detect service disruptions
How to Mitigate CVE-2025-61951
Immediate Actions Required
- Review all BIG-IP virtual server configurations to identify DTLS 1.2 deployments with vulnerable Server SSL profile settings
- Change the SSL Sign Hash setting from ANY to a specific hash algorithm where operationally feasible
- Consider disabling DTLS 1.2 temporarily if not required for business operations
- Implement network access controls to limit sources that can reach DTLS virtual servers
Patch Information
F5 has released security patches addressing this vulnerability. Refer to F5 Security Article K000151309 for specific version information and upgrade guidance. Organizations should prioritize patching systems running version 17.5.0 and earlier affected releases. Software versions that have reached End of Technical Support (EoTS) are not evaluated by F5.
Workarounds
- Modify the Server SSL profile to use a specific SSL Sign Hash value instead of ANY (e.g., SHA256 or SHA384)
- Disable DTLS 1.2 on virtual servers where it is not required for application functionality
- Implement network segmentation to restrict access to DTLS virtual servers to trusted sources only
- Consider using iRules to filter or rate-limit traffic to affected virtual servers as a temporary measure
# Example: Modify Server SSL profile to use specific hash algorithm
tmsh modify ltm profile server-ssl <profile_name> ssl-sign-hash sha256
# Verify the configuration change
tmsh list ltm profile server-ssl <profile_name> ssl-sign-hash
# Alternatively, disable DTLS on the virtual server if not required
tmsh modify ltm virtual <virtual_name> dtls disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
