CVE-2025-61960 Overview
CVE-2025-61960 is a high-severity Denial of Service vulnerability affecting F5 BIG-IP Access Policy Manager (APM). When a per-request policy is configured on a BIG-IP APM portal access virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate unexpectedly. This vulnerability can lead to service disruption for organizations relying on BIG-IP APM for secure application access and authentication services.
Critical Impact
Successful exploitation can cause the TMM process to crash, resulting in a denial of service condition that disrupts all traffic processing through the affected BIG-IP APM virtual server.
Affected Products
- F5 BIG-IP Access Policy Manager (APM)
- BIG-IP APM virtual servers with per-request policies configured
- Portal access configurations on affected BIG-IP APM versions
Discovery Timeline
- October 15, 2025 - CVE-2025-61960 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-61960
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), indicating that the TMM component fails to properly validate pointer references when processing certain types of traffic. The vulnerability exists in the per-request policy handling code path within the BIG-IP APM module. When the TMM encounters the undisclosed traffic pattern while processing requests through a portal access virtual server with per-request policies enabled, it attempts to dereference a null pointer, causing the process to crash.
The attack can be executed remotely over the network without requiring authentication or user interaction. While the vulnerability does not compromise data confidentiality or integrity, it severely impacts system availability. Organizations using BIG-IP APM as a critical authentication and access control gateway may experience significant service disruptions if this vulnerability is exploited.
Root Cause
The root cause of CVE-2025-61960 is a NULL Pointer Dereference (CWE-476) within the Traffic Management Microkernel. The TMM fails to perform adequate null checks before dereferencing pointer variables during the processing of specific traffic patterns through per-request policy-enabled portal access virtual servers. This missing validation allows an attacker to craft network traffic that triggers the null pointer access, causing the TMM process to terminate.
Attack Vector
The vulnerability is exploitable via network access without requiring any authentication credentials or user interaction. An attacker can send specially crafted traffic to a BIG-IP APM portal access virtual server configured with per-request policies. When the TMM processes this malicious traffic, the null pointer dereference occurs, causing the process to crash. This attack can be repeated to create a sustained denial of service condition, preventing legitimate users from accessing applications protected by the BIG-IP APM.
The attack surface is limited to environments where:
- BIG-IP APM is deployed with portal access functionality
- Per-request policies are configured on the virtual server
- The virtual server is network-accessible to potential attackers
Detection Methods for CVE-2025-61960
Indicators of Compromise
- Unexpected TMM process restarts or crashes in BIG-IP system logs
- Repeated service disruptions on portal access virtual servers
- Core dump files generated by the TMM process
- Unusual traffic patterns targeting BIG-IP APM portal access endpoints
Detection Strategies
- Monitor BIG-IP system logs for TMM crash events and automatic restarts
- Implement alerting on multiple TMM process terminations within short time windows
- Review traffic analytics for anomalous request patterns to portal access virtual servers
- Deploy network-based intrusion detection to identify potential exploitation attempts
Monitoring Recommendations
- Configure SNMP traps or syslog forwarding for TMM-related events
- Establish baseline metrics for TMM process stability and alert on deviations
- Monitor virtual server availability metrics for portal access configurations
- Implement health checks that detect TMM service interruptions
How to Mitigate CVE-2025-61960
Immediate Actions Required
- Review your BIG-IP APM configurations to identify virtual servers with per-request policies on portal access
- Apply the appropriate security patches from F5 as detailed in the vendor advisory
- Consider temporarily disabling per-request policies on portal access virtual servers if patching is delayed
- Implement network-level access controls to limit exposure of affected virtual servers
Patch Information
F5 has released security updates to address this vulnerability. Organizations should consult the F5 Knowledge Base Article K000156597 for detailed information on affected versions and available patches. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable.
Workarounds
- Restrict network access to BIG-IP APM portal access virtual servers using firewall rules or access control lists
- If per-request policies are not essential, consider using alternative policy configurations that do not trigger the vulnerability
- Implement rate limiting on portal access endpoints to reduce the impact of potential exploitation attempts
- Deploy a web application firewall (WAF) in front of the BIG-IP APM to filter potentially malicious traffic patterns
# Example: Restrict access to portal access virtual server via BIG-IP AFM
# Create an address list for allowed source networks
tmsh create security firewall address-list allowed_portal_sources addresses add { 10.0.0.0/8 192.168.0.0/16 }
# Create a firewall rule to restrict access
tmsh create security firewall rule-list portal_access_rules rules add { allow_trusted { action accept source { address-lists add { allowed_portal_sources } } } deny_all { action drop } }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
