CVE Alert: CVE-2025-59478 – F5 – BIG-IP

Risk verdict

High risk to service availability from a remote, unauthenticated DoS trigger; patch promptly where AFM DoS profiles are deployed.

Why this matters

Exploitation can crash the Traffic Management Microkernel, bringing down protected virtual servers and disrupting critical applications. Attackers aiming to degrade customer experience or force outages can achieve impact with no user interaction or credentials.

Most likely attack path

Network-based exploitation with no privileges required and no user interaction. An attacker can send crafted requests to a virtual server protected by the AFM DoS profile, triggering TMM termination. With Scope unchanged, disruption may cascade to multiple protected services or instances sharing the same host.

Who is most exposed

organisations with public-facing BIG-IP deployments that rely on AFM DoS profiles on virtual servers, including enterprise perimeters, data centres, and service providers in cloud or hybrid environments.

Detection ideas

• Monitor for TMM crashes and restart cycles; correlate with traffic spikes.
• Look for crash dumps or kernel/driver errors linked to AFM components.
• Anomalous surge in connections to protected virtual servers without corresponding authentication.
• AFM DoS policy hits exceeding baseline; unusual rule matches.
• Sudden, unexplained outages affecting web-facing services.

Mitigation and prioritisation

• Apply the vendor patch to supported release lines as a priority; verify compatibility in test environment before production rollout.
• If patching is delayed, temporarily disable or adjust the DoS protection profile on affected virtual servers and enable compensating controls.
• Implement rate-limiting, robust monitoring, and rapid failover to HA pairs; review change-control documentation and schedule a maintenance window.
• Validate EoTS status of the targeted versions and plan upgrade accordingly.