CVE Alert: CVE-2025-53521 – F5 – BIG-IP
CVE-2025-53521
When a BIG-IP APM Access Policy is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI Summary Analysis
Risk verdict
High risk: remote, unauthenticated traffic to a BIG-IP APM virtual server can terminate TMM, with no exploitation signals shown in the data.
Why this matters
The issue can cause a Denial of Service on BIG-IP services used by trusted virtual servers with APM policies, potentially affecting access to applications behind the device. An attacker could leverage this to disrupt business-critical portals or degrade user experience during an outage window, widening an attacker’s impact during a targeted disruption.
Most likely attack path
Remote network traffic targeting a virtual server with an APM Access Policy is sufficient to trigger TMM termination, with no privileges or user interaction required. The precondition is that such a policy exists on a reachable virtual server; scope remains unchanged, so an attacker could repeatedly attempt traffic to provoke a crash.
Who is most exposed
External-facing deployments of BIG-IP with APM policies on publicly reachable virtual servers, common in DMZs or multi-tenant/cloud environments where access policies are exposed to users or partner networks.
Detection ideas
- Monitor TMM crashes and restart events; inspect core dumps or crash IDs.
- Look for sudden spikes in CPU/memory on TMM nodes coinciding with traffic to APM-enabled virtual servers.
- Inspect system logs for TMM termination related messages and policy-triggered events.
- Detect repeated traffic patterns targeting APM policy endpoints without user interaction.
- Correlate crashes with configuration changes to APM policies.
Mitigation and prioritisation
- Apply the latest supported patch/upgrade addressing this issue; verify compatibility in staging before production.
- If patching is constrained, restrict network access to BIG-IP management and APM endpoints to trusted sources only.
- Disable or temporarily remove non-essential APM policies on affected virtual servers.
- Enhance monitoring: enable crash reporting, enable verbose APM traffic analytics, and implement rate limiting.
- If KEV true or EPSS ≥ 0.5, treat as priority 1.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
