CVE-2025-61990 Overview
CVE-2025-61990 is a Double Free vulnerability (CWE-415) affecting F5 BIG-IP products running on multi-bladed platforms. When a BIG-IP system is configured with more than one blade, specially crafted or undisclosed network traffic can trigger a condition that causes the Traffic Management Microkernel (TMM) to terminate unexpectedly. The TMM is a critical component responsible for processing all application traffic through the BIG-IP system, making this vulnerability particularly impactful for high-availability environments.
This vulnerability can be exploited remotely over the network without requiring authentication or user interaction, enabling attackers to cause significant service disruption to organizations relying on F5 BIG-IP for load balancing, application delivery, and security services.
Critical Impact
Remote attackers can crash the TMM process on multi-blade F5 BIG-IP deployments, causing denial of service and potential traffic disruption across enterprise networks.
Affected Products
- F5 BIG-IP Local Traffic Manager (LTM)
- F5 BIG-IP Access Policy Manager (APM)
- F5 BIG-IP Advanced Firewall Manager (AFM)
- F5 BIG-IP Advanced Web Application Firewall (AWAF)
- F5 BIG-IP Application Security Manager (ASM)
- F5 BIG-IP DNS (formerly GTM)
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP Policy Enforcement Manager (PEM)
- F5 BIG-IP Carrier-Grade NAT (CGNAT)
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Analytics
- F5 BIG-IP Link Controller
- F5 BIG-IP NEXT Cloud-Native Network Functions
- F5 BIG-IP NEXT for Kubernetes
- F5 BIG-IP NEXT Service Proxy for Kubernetes
Discovery Timeline
- October 15, 2025 - CVE-2025-61990 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-61990
Vulnerability Analysis
The vulnerability exists within the Traffic Management Microkernel (TMM), which is the data plane component responsible for processing all network traffic in F5 BIG-IP systems. TMM handles critical functions including load balancing, SSL termination, protocol parsing, and security policy enforcement.
On multi-bladed chassis platforms, TMM instances coordinate across multiple processing blades to distribute traffic and maintain state. The vulnerability is triggered when specific network traffic patterns cause a memory management error within the inter-blade communication or traffic processing logic. This results in a Double Free condition where the same memory region is deallocated twice, leading to heap corruption and subsequent process termination.
The impact is limited to availability (no confidentiality or integrity breach), but the consequences for production environments are severe. When TMM crashes, all traffic processing stops until the process restarts or fails over to a standby unit. In high-traffic environments, even brief outages can result in significant business impact.
Root Cause
The root cause is a Double Free memory corruption vulnerability (CWE-415). In this scenario, the TMM process incorrectly frees a memory allocation twice during traffic processing on multi-blade configurations. This typically occurs due to improper tracking of memory ownership between components or race conditions in the deallocation logic when processing concurrent traffic streams across multiple blades.
Double Free vulnerabilities occur when free() or equivalent memory deallocation functions are called on the same pointer more than once. This corrupts the heap metadata, and subsequent memory operations can cause unpredictable behavior including crashes.
Attack Vector
The attack is network-based and can be executed remotely without authentication or user interaction. The specific traffic patterns required to trigger the vulnerability have not been publicly disclosed by F5 to prevent active exploitation. However, the following characteristics apply:
- Remote Exploitation: Attackers can send malicious traffic from anywhere on the network
- No Authentication Required: The vulnerability can be triggered by unauthenticated traffic
- Multi-Blade Prerequisite: Only affects BIG-IP systems running on chassis with multiple blades
- Traffic Processing Context: The vulnerability is triggered during normal traffic processing operations
The "undisclosed traffic" terminology used by F5 indicates that specific packet sequences or protocol states are required, but details are intentionally withheld.
Detection Methods for CVE-2025-61990
Indicators of Compromise
- Unexpected TMM process restarts recorded in /var/log/ltm with signals indicating memory corruption
- System logs showing core dumps for TMM processes with heap corruption signatures
- Failover events on HA pairs triggered by TMM health check failures
- Increased frequency of connection resets or dropped sessions during traffic processing
Detection Strategies
- Monitor TMM process stability using SNMP traps or syslog forwarding for restart events
- Configure alerts for core dump generation in /var/core/ directory
- Implement external health monitoring to detect traffic processing interruptions
- Review BIG-IP VIPRION or vCMP chassis blade status for coordinated failures
Monitoring Recommendations
- Enable detailed logging for TMM events using tmsh modify sys db log.tmm.level value debug
- Configure SNMP traps for ltmDeviceFailover and bigipTmmRestart events
- Implement synthetic transaction monitoring to detect service availability gaps
- Monitor blade-to-blade communication health on chassis platforms
How to Mitigate CVE-2025-61990
Immediate Actions Required
- Review the F5 Security Article K000156912 for affected version details and patches
- Identify all multi-blade BIG-IP deployments in your environment
- Prioritize patching for internet-facing and critical infrastructure BIG-IP systems
- Ensure high-availability configurations are functional for failover protection
Patch Information
F5 has released security updates to address this vulnerability. Organizations should consult the F5 Security Advisory for specific version information and hotfix availability. Software versions that have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable.
To check your current BIG-IP version:
# Check BIG-IP version and platform
tmsh show sys version
tmsh show sys hardware
Workarounds
- If immediate patching is not possible, consult the F5 security advisory for temporary mitigations
- Consider implementing rate limiting or traffic filtering at network perimeter
- Ensure HA failover is configured and tested to minimize downtime during TMM restarts
- Monitor for signs of exploitation while awaiting maintenance windows
# Configuration example - Monitor TMM health
# Enable TMM restart alerting via syslog
tmsh modify sys syslog remote-servers add { siem-server { host 10.0.0.100 } }
tmsh modify sys db log.tmm.level value notice
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
