Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61990

CVE-2025-61990: F5 BIG-IP APM DoS Vulnerability

CVE-2025-61990 is a denial of service vulnerability in F5 BIG-IP Access Policy Manager that causes TMM termination on multi-bladed platforms. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-61990 Overview

CVE-2025-61990 is a Double Free vulnerability (CWE-415) affecting F5 BIG-IP products running on multi-bladed platforms. When a BIG-IP system is configured with more than one blade, specially crafted or undisclosed network traffic can trigger a condition that causes the Traffic Management Microkernel (TMM) to terminate unexpectedly. The TMM is a critical component responsible for processing all application traffic through the BIG-IP system, making this vulnerability particularly impactful for high-availability environments.

This vulnerability can be exploited remotely over the network without requiring authentication or user interaction, enabling attackers to cause significant service disruption to organizations relying on F5 BIG-IP for load balancing, application delivery, and security services.

Critical Impact

Remote attackers can crash the TMM process on multi-blade F5 BIG-IP deployments, causing denial of service and potential traffic disruption across enterprise networks.

Affected Products

  • F5 BIG-IP Local Traffic Manager (LTM)
  • F5 BIG-IP Access Policy Manager (APM)
  • F5 BIG-IP Advanced Firewall Manager (AFM)
  • F5 BIG-IP Advanced Web Application Firewall (AWAF)
  • F5 BIG-IP Application Security Manager (ASM)
  • F5 BIG-IP DNS (formerly GTM)
  • F5 BIG-IP SSL Orchestrator
  • F5 BIG-IP Policy Enforcement Manager (PEM)
  • F5 BIG-IP Carrier-Grade NAT (CGNAT)
  • F5 BIG-IP DDoS Hybrid Defender
  • F5 BIG-IP Analytics
  • F5 BIG-IP Link Controller
  • F5 BIG-IP NEXT Cloud-Native Network Functions
  • F5 BIG-IP NEXT for Kubernetes
  • F5 BIG-IP NEXT Service Proxy for Kubernetes

Discovery Timeline

  • October 15, 2025 - CVE-2025-61990 published to NVD
  • October 21, 2025 - Last updated in NVD database

Technical Details for CVE-2025-61990

Vulnerability Analysis

The vulnerability exists within the Traffic Management Microkernel (TMM), which is the data plane component responsible for processing all network traffic in F5 BIG-IP systems. TMM handles critical functions including load balancing, SSL termination, protocol parsing, and security policy enforcement.

On multi-bladed chassis platforms, TMM instances coordinate across multiple processing blades to distribute traffic and maintain state. The vulnerability is triggered when specific network traffic patterns cause a memory management error within the inter-blade communication or traffic processing logic. This results in a Double Free condition where the same memory region is deallocated twice, leading to heap corruption and subsequent process termination.

The impact is limited to availability (no confidentiality or integrity breach), but the consequences for production environments are severe. When TMM crashes, all traffic processing stops until the process restarts or fails over to a standby unit. In high-traffic environments, even brief outages can result in significant business impact.

Root Cause

The root cause is a Double Free memory corruption vulnerability (CWE-415). In this scenario, the TMM process incorrectly frees a memory allocation twice during traffic processing on multi-blade configurations. This typically occurs due to improper tracking of memory ownership between components or race conditions in the deallocation logic when processing concurrent traffic streams across multiple blades.

Double Free vulnerabilities occur when free() or equivalent memory deallocation functions are called on the same pointer more than once. This corrupts the heap metadata, and subsequent memory operations can cause unpredictable behavior including crashes.

Attack Vector

The attack is network-based and can be executed remotely without authentication or user interaction. The specific traffic patterns required to trigger the vulnerability have not been publicly disclosed by F5 to prevent active exploitation. However, the following characteristics apply:

  • Remote Exploitation: Attackers can send malicious traffic from anywhere on the network
  • No Authentication Required: The vulnerability can be triggered by unauthenticated traffic
  • Multi-Blade Prerequisite: Only affects BIG-IP systems running on chassis with multiple blades
  • Traffic Processing Context: The vulnerability is triggered during normal traffic processing operations

The "undisclosed traffic" terminology used by F5 indicates that specific packet sequences or protocol states are required, but details are intentionally withheld.

Detection Methods for CVE-2025-61990

Indicators of Compromise

  • Unexpected TMM process restarts recorded in /var/log/ltm with signals indicating memory corruption
  • System logs showing core dumps for TMM processes with heap corruption signatures
  • Failover events on HA pairs triggered by TMM health check failures
  • Increased frequency of connection resets or dropped sessions during traffic processing

Detection Strategies

  • Monitor TMM process stability using SNMP traps or syslog forwarding for restart events
  • Configure alerts for core dump generation in /var/core/ directory
  • Implement external health monitoring to detect traffic processing interruptions
  • Review BIG-IP VIPRION or vCMP chassis blade status for coordinated failures

Monitoring Recommendations

  • Enable detailed logging for TMM events using tmsh modify sys db log.tmm.level value debug
  • Configure SNMP traps for ltmDeviceFailover and bigipTmmRestart events
  • Implement synthetic transaction monitoring to detect service availability gaps
  • Monitor blade-to-blade communication health on chassis platforms

How to Mitigate CVE-2025-61990

Immediate Actions Required

  • Review the F5 Security Article K000156912 for affected version details and patches
  • Identify all multi-blade BIG-IP deployments in your environment
  • Prioritize patching for internet-facing and critical infrastructure BIG-IP systems
  • Ensure high-availability configurations are functional for failover protection

Patch Information

F5 has released security updates to address this vulnerability. Organizations should consult the F5 Security Advisory for specific version information and hotfix availability. Software versions that have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable.

To check your current BIG-IP version:

bash
# Check BIG-IP version and platform
tmsh show sys version
tmsh show sys hardware

Workarounds

  • If immediate patching is not possible, consult the F5 security advisory for temporary mitigations
  • Consider implementing rate limiting or traffic filtering at network perimeter
  • Ensure HA failover is configured and tested to minimize downtime during TMM restarts
  • Monitor for signs of exploitation while awaiting maintenance windows
bash
# Configuration example - Monitor TMM health
# Enable TMM restart alerting via syslog
tmsh modify sys syslog remote-servers add { siem-server { host 10.0.0.100 } }
tmsh modify sys db log.tmm.level value notice
tmsh save sys config

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.