CVE-2025-20045

Q: What is the severity of CVE-2025-20045?

CVE-2025-20045 has a CVSS score of 7.5 (HIGH). This vulnerability allows an attacker to cause a denial of service by sending specially crafted SIP traffic to F5 BIG-IP systems with specific ALG configurations. The Traffic Management Microkernel (TMM) terminates, disrupting traffic processing. Affects F5 BIG-IP systems with SIP ALG profiles configured on Message Routing virtual servers.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability allows an attacker to cause a denial of service by sending specially crafted SIP traffic to F5 BIG-IP systems with specific ALG configurations. The Traffic Management Microkernel (TMM) terminates, disrupting traffic processing. Affects F5 BIG-IP systems with SIP ALG profiles configured on Message Routing virtual servers.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: Versions prior to fixed releases (specific versions not provided in CVE)

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when SIP session ALG profile with Passthru Mode enabled AND SIP router ALG profile are configured on a Message Routing type virtual server.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption as TMM terminates, requiring manual intervention to restore traffic processing.

🟠

Likely Case

Intermittent service outages affecting SIP traffic and potentially other services on the same BIG-IP device.

🟢

If Mitigated

No impact if vulnerable configurations are not present or traffic is filtered.

🌐 Internet-Facing: HIGH - SIP services are often internet-facing, making them accessible to attackers.

🏢 Internal Only: MEDIUM - Internal SIP traffic could still trigger the vulnerability if configurations exist.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires sending SIP traffic to vulnerable configuration but no authentication needed. Specific traffic patterns not disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check F5 advisory K000138932 for specific fixed versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000138932

Restart Required: No

Instructions:

1. Review F5 advisory K000138932 for applicable fixed versions. 2. Upgrade to recommended version. 3. Verify configuration changes are not needed post-upgrade.

🔧 Temporary Workarounds

Disable vulnerable ALG configurations

F5 BIG-IP

Remove or modify SIP ALG profiles on Message Routing virtual servers to eliminate vulnerable configuration.

tmsh modify ltm virtual <virtual_server_name> profiles delete { sip-session-alg-profile }
tmsh modify ltm virtual <virtual_server_name> profiles delete { sip-router-alg-profile }

🧯 If You Can't Patch

Implement network filtering to block SIP traffic to vulnerable virtual servers.
Monitor TMM process health and implement automated restart procedures for outages.

🔍 How to Verify

Check if Vulnerable:

Check if any virtual servers have both SIP session ALG profile with Passthru Mode enabled and SIP router ALG profile configured: tmsh list ltm virtual one-line | grep -E 'sip-session-alg|sip-router-alg'

Check Version:

tmsh show sys version

Verify Fix Applied:

After patching, verify no TMM crashes occur during SIP traffic testing and check version is updated: tmsh show sys version

📡 Detection & Monitoring

Log Indicators:

TMM process termination logs in /var/log/ltm
SIP ALG error messages in system logs

Network Indicators:

Unusual SIP traffic patterns to Message Routing virtual servers
Sudden loss of SIP service

SIEM Query:

source="/var/log/ltm" AND "TMM terminated" OR source="/var/log/messages" AND "sip.*alg.*error"

📊 Metadata

CVE ID: CVE-2025-20045

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.4% exploit probability (60th percentile)

Published: February 5, 2025

Last Updated: October 21, 2025

🔗 References

https://my.f5.com/manage/s/article/K000138932 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Application Visibility And Reporting by F5

Big Ip Automation Toolchain by F5

Big Ip Automation Toolchain by F5

Big Ip Automation Toolchain by F5

Big Ip Carrier Grade Nat by F5

Big Ip Carrier Grade Nat by F5

Big Ip Carrier Grade Nat by F5

Big Ip Container Ingress Services by F5

Big Ip Container Ingress Services by F5

Big Ip Container Ingress Services by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Edge Gateway by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Websafe by F5

Big Ip Websafe by F5

Big Ip Websafe by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable vulnerable ALG configurations

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version: