CVE Alert: CVE-2025-60016 - F5 - BIG-IP

CVE-2025-60016

HIGHNo exploitation known

When Diffie-Hellman (DH) group Elliptic Curve Cryptography (ECC) Brainpool curves are configured in an SSL profile’s Cipher Rule or Cipher Group, and that profile is applied to a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3.1 (7.5)

AV NETWORK · AC LOW · PR NONE · UI NONE · S UNCHANGED

Vendor

F5, F5, F5

Product

BIG-IP, BIG-IP Next SPK, BIG-IP Next CNF

Versions

17.5.0 lt * | 17.1.0 lt 17.1.2 | 16.1.0 lt * | 15.1.0 lt * | 2.0.0 lt * | 1.7.0 lt * | 2.0.0 lt * | 1.1.0 lt 1.4.0

CWE

CWE-119, CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published

2025-10-15T13:55:44.110Z

Updated

2025-10-16T03:56:24.906Z

References

https://my.f5.com/manage/s/article/K000139514

AI Summary Analysis

Risk verdict

High risk to availability from a remote, unauthenticated exploit that can crash the Traffic Management Microkernel (TMM); no active exploitation is indicated in the data, but impact is severe if triggered.

Why this matters

If an attacker can trigger the crash via TLS handshakes using Brainpool ECC curves in an SSL profile, a virtual server may terminate and cause service disruption. The loss of TLS termination stability can impact multiple downstream services and degrade availability for external and internal users.

Most likely attack path

Precondition: a BIG-IP SSL profile uses Diffie-Hellman group ECC Brainpool curves and the profile is attached to a virtual server.
Vector: remote network traffic exploiting the TLS handshake parameter, with no authentication or user interaction required.
Outcome: TMM termination/crash leading to targeted or wider service outage on affected virtual servers; scope remains within the affected device/service.

Who is most exposed

Organisation-wide deployments of BIG-IP acting as internet-facing TLS terminators or central load balancers are most at risk, especially where Brainpool curves are configured in SSL profiles for public-facing virtual servers.

Detection ideas

TMM crash events or core dumps logged under Traffic Management Microkernel processes.
Spike in TLS handshake failures or cryptographic errors on affected virtual servers.
Unusual spikes in CPU/memory utilisation of the TMM or rapid restarts of the affected VIPs.
Unexpected termination messages in system/application logs indicating TMM termination.
Correlated disruption of services behind the vulnerable virtual server.

Mitigation and prioritisation

Apply vendor-released updates to non-affected builds (e.g., upgrade to later BIG-IP versions or NEXT releases indicated as safe by the advisory).
Disable or remove Brainpool ECC curves from SSL profiles used on Internet-facing virtual servers until patched.
Limit exposure: shield vulnerable virtual servers behind stricter ACLs or WAF rules; segment SSL termination away from high-risk endpoints.
Test changes in a staging environment; implement a controlled rollout with rollback plan.
Verify patch applicability and perform post-update validation of TLS configurations.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: big-ip, big-ip-next-cnf, big-ip-next-spk, CVE, cve-2025-60016, f5, OSINT, threatintel