CVE Alert: CVE-2025-53474 – F5 – BIG-IP

Risk verdict

High-risk remote, unauthenticated exploit could crash the Traffic Management Microkernel when an ILX::call-enabled iRule is attached to a virtual server; patching should be prioritised.

Why this matters

A TMM crash can disrupt core traffic management and take down multiple services behind the load balancer, with potential SLA impact and customer disruption. Attackers may aim for service outages or degradation without needing user interaction, making rapid remediation important.

Most likely attack path

Preconditions: an iRule using ILX::call must be configured on a virtual server. An attacker sends crafted network traffic to that server, triggering the crash without authentication or UI interaction. If the vulnerable configuration is widespread, the attacker could cause broad DoS across multiple virtual servers.

Who is most exposed

Organisations with internet-facing or DMZ virtual servers using ILX::call-based iRules are at greatest risk; environments with legacy support or EoTS assets may be more exposed due to delayed patching.

Detection ideas

• TMM crash/termination events in system logs
• Recurrent crashes or rapid restarts tied to network traffic surges
• Crash dumps referencing ILX::call or iRule modules
• Unusual traffic to affected virtual servers without corresponding user actions
• Spike in CPU/memory concurrent with traffic to the load balancer

Mitigation and prioritisation

• Apply vendor-supplied patch via the official advisory; confirm current support status (noting EoTS risks)
• If patching is delayed, disable or remove ILX::call usage in affected iRules; restrict exposure to trusted networks
• Deploy network filtering or rate-limiting to affected virtual servers; consider WAF rules
• Schedule testing in staging before production rollout; plan a burn-in window
• If KEV is confirmed or EPSS ≥ 0.5, treat as Priority 1; otherwise maintain high priority with clear remediation deadlines