CVE Alert: CVE-2025-55669 – F5 – BIG-IP
CVE-2025-55669
When the BIG-IP Advanced WAF and ASM security policy and a server-side HTTP/2 profile are configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI Summary Analysis
Risk verdict
High risk to availability for exposed BIG-IP instances; there is no confirmed exploitation activity observed at this time.
Why this matters
Network attackers can trigger a TMM termination via undisclosed HTTP/2 traffic when a server-side HTTP/2 profile and WAF/ASM policy are present, potentially taking downstream services offline. The vulnerability is network-based with no authentication and high availability impact, so an automated attacker could target edge or front‑end virtual servers to cause disruption across multiple apps.
Most likely attack path
Remote, unauthenticated exploitation via crafted or undisclosed HTTP/2 traffic to vulnerable virtual servers could crash TMM, leading to denial of service. The flaw has low attack complexity and no user interaction required, with scope unchanged, enabling potential rapid, uncontrolled impact across affected instances.
Who is most exposed
Organisations deploying BIG-IP at internet-facing edges or as service-provider front-ends with active Advanced WAF/ASM and server-side HTTP/2 profiles are most at risk, especially where multiple virtual servers are exposed externally.
Detection ideas
- TMM crash/restart events or core dumps in system logs.
- 5xx spikes or HTTP/2 error patterns correlated with traffic to specific virtual servers.
- Unusual bursts of traffic to the HTTP/2 pathway preceding outages.
- Stability logs showing TMM termination related messages.
- Correlation of web traffic anomalies with recent maintenance windows.
Mitigation and prioritisation
- Patch to a non-affected version per vendor advisory; verify upgrade path and testing in staging.
- If patching is slow, disable or remove server-side HTTP/2 profile on affected virtual servers temporarily.
- Apply compensating controls: restrict external access to affected services, implement stricter rate limits, and tighten WAF/ASM rules.
- Plan for a controlled maintenance window; ensure backups and rollback procedures.
- If exploitation indicators appear (unexpected activity) escalate to priority 1 per SDLC governance.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
