CVE Alert: CVE-2025-58096 – F5 – BIG-IP
CVE-2025-58096
When the database variable tm.tcpudptxchecksum is configured as non-default value Software-only on a BIG-IP system, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI Summary Analysis
Risk verdict
High risk of network-exploitable denial of service to the Traffic Management Microkernel due to a non-default tm.tcpudptxchecksum setting; urgency cannot be confirmed as KEV/SSVC exploitation status is not provided.
Why this matters
A TMM crash or restart can disrupt core traffic management, causing application outages for web-facing services and API endpoints. The impact scales with traffic volume and cannot rely on user interaction, raising potential for business disruption, customer impact, and revenue loss during incidents.
Most likely attack path
Attacker needs network access to the device and the tm.tcpudptxchecksum variable configured non-default, with no privileges or user interaction required. Exploitation would terminate TMM, leading to service downtime within the same scope; lateral movement is unlikely beyond disruption of traffic handling.
Who is most exposed
Environments where BIG-IP is exposed to internet-facing or untrusted networks, or used as a front door for large web/mobile services, are most at risk, including service providers and enterprise data-centre deployments.
Detection ideas
- TMM restarts or crashes and crash-dump generation logs.
- Unusual spikes in traffic disruption or sudden loss of availability for virtual servers.
- Syslog/SNMP alerts indicating TMM termination events.
- Infrastructure monitoring showing repeated TMM process restarts without clear config changes.
- Anomalous or non-default values for tm.tcpudptxchecksum in config audits.
Mitigation and prioritisation
- Apply vendor patch or upgrade to non-vulnerable releases promptly.
- Ensure tm.tcpudptxchecksum is set to vendor-recommended default or hardened value; review and remove non-default configurations.
- Enforce network controls: require trusted network access to management paths, implement strict ACLs, and deploy rate limiting for traffic to the device.
- Verify redundancy and rapid failover for critical traffic paths; validate backup configurations and DR playbooks.
- Change-management: schedule patching windows; test in staging; collide with EoL status where relevant.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
