CVE Alert: CVE-2025-61990 - F5 - BIG-IP

CVE-2025-61990

HIGHNo exploitation known

When using a multi-bladed platform with more than one blade, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3.1 (7.5)

AV NETWORK · AC LOW · PR NONE · UI NONE · S UNCHANGED

Vendor

F5, F5, F5, F5

Product

BIG-IP, BIG-IP Next SPK, BIG-IP Next CNF, BIG-IP Next for Kubernetes

Versions

17.5.0 lt 17.5.1.3 | 17.1.0 lt 17.1.3 | 16.1.0 lt 16.1.6.1 | 15.1.0 lt 15.1.10.8 | 2.0.0 lt * | 1.9.0 lt * | 1.8.0 lt * | 1.7.0 lt * | 2.0.0 lt * | 1.1.0 lt * | 2.0.0 lt *

CWE

CWE-415, CWE-415 Double Free

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published

2025-10-15T15:19:52.979Z

Updated

2025-10-16T03:56:26.234Z

References

https://my.f5.com/manage/s/article/K000156912

AI Summary Analysis

Risk verdict

High risk of Denial-of-Service to the Traffic Management Microkernel (TMM) over the network, with no authentication required; current exploitation activity is not indicated, but impact is substantial for affected deployments.

Why this matters

TMM is central to BIG-IP traffic handling; a crash can disrupt application delivery across load balancers and trigger outages or degraded performance. Realistic attacker goals include forcing failover storms, service degradation, or disruption of multi-blade platforms where traffic can provoke TMM termination.

Most likely attack path

Remote attacker can send crafted traffic to the TMM interface to trigger a double-free condition, causing termination or crash. Exploitation requires no user interaction and no privileges, making any network-connected BIG-IP instance with affected TMM surfaces at risk; multi-blade platforms may experience broader disruption due to inter-blade traffic handling.

Who is most exposed

Organisations with on-prem or cloud-hosted BIG-IP deployments that provide network-facing TMM access, especially on legacy or EoTS-ineligible releases and multi-blade configurations, are at greatest exposure.

Detection ideas

TMM crash or restart events logged in system logs; sudden spikes in core dumps.
Unexpected HA failovers or traffic disruption without service changes.
Core dumps or segmentation faults reported by the kernel; repeated termination events across blades.
Increased crash-related forensic artifacts during high traffic periods.

Mitigation and prioritisation

Apply the fixed/patch release aligning with your BIG-IP line; prioritise upgrades to supported versions.
If patching immediately isn’t possible, segment TMM network paths, restrict access to trusted sources, and isolate multi-blade traffic where feasible.
Implement robust monitoring for TMM stability, enable early alerting on crash/log events, and enforce change-control for upgrade windows.
Verify EoTS status; decommission or isolate affected lines if maintenance windows are not available.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: big-ip, big-ip-next-cnf, big-ip-next-for-kubernetes, big-ip-next-spk, CVE, cve-2025-61990, f5, OSINT, threatintel