CVE-2025-22846

Q: What is the severity of CVE-2025-22846?

CVE-2025-22846 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP systems causes the Traffic Management Microkernel (TMM) to crash when specific SIP Session and Router ALG profiles are configured on Message Routing virtual servers. This leads to denial of service, affecting organizations using these specific configurations for SIP traffic handling.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in F5 BIG-IP systems causes the Traffic Management Microkernel (TMM) to crash when specific SIP Session and Router ALG profiles are configured on Message Routing virtual servers. This leads to denial of service, affecting organizations using these specific configurations for SIP traffic handling.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: 17.1.0 to 17.1.1.1, 16.1.0 to 16.1.4.3, 15.1.0 to 15.1.10.2, 14.1.0 to 14.1.5.6

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when both SIP Session and Router ALG profiles are configured on Message Routing type virtual servers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption as TMM crashes, causing all traffic through affected virtual servers to stop until TMM restarts automatically or manually.

🟠

Likely Case

Intermittent service outages affecting SIP traffic routing when specific malformed packets trigger the condition.

🟢

If Mitigated

Minimal impact if vulnerable configurations are not in use or if traffic filtering prevents triggering packets.

🌐 Internet-Facing: MEDIUM - SIP traffic from untrusted sources could trigger the condition, but requires specific vulnerable configuration.

🏢 Internal Only: LOW - Internal SIP traffic is less likely to contain malformed packets that trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires sending specific SIP traffic to vulnerable configuration; no authentication needed but requires knowledge of vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in 17.1.1.2, 16.1.4.4, 15.1.10.3, 14.1.5.7 and later

Vendor Advisory: https://my.f5.com/manage/s/article/K000139780

Restart Required: No

Instructions:

1. Download appropriate hotfix from F5 Downloads. 2. Upload to BIG-IP system. 3. Install using tmsh: 'install sys software hotfix <filename>'. 4. Verify installation with 'show sys software'.

🔧 Temporary Workarounds

Remove vulnerable configuration

all

Remove SIP Session and Router ALG profiles from Message Routing virtual servers

tmsh modify ltm virtual <vs_name> profiles delete { sip-session router-alg }

Block SIP traffic temporarily

all

Use iRules or firewall rules to block SIP traffic to vulnerable virtual servers

when CLIENT_ACCEPTED { if {[TCP::local_port] == 5060} { reject } }

🧯 If You Can't Patch

Remove SIP Session and Router ALG profiles from Message Routing virtual servers
Implement network filtering to block malformed SIP packets before reaching BIG-IP

🔍 How to Verify

Check if Vulnerable:

Check if Message Routing virtual servers have both SIP Session and Router ALG profiles: 'tmsh list ltm virtual <vs_name> profiles'

Check Version:

tmsh show sys version | grep Version

Verify Fix Applied:

Verify version is patched: 'tmsh show sys version' and check for fix versions

📡 Detection & Monitoring

Log Indicators:

TMM restart messages in /var/log/ltm
SIP parsing errors in application logs
Virtual server state changes

Network Indicators:

SIP traffic spikes followed by service interruption
TCP resets on SIP ports

SIEM Query:

source="/var/log/ltm" "TMM.*terminated" OR "TMM.*restart"

📊 Metadata

CVE ID: CVE-2025-22846

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-404

EPSS Score: 0.34% exploit probability (56.3th percentile)

Published: February 5, 2025

Last Updated: September 10, 2025

🔗 References

https://my.f5.com/manage/s/article/K000139780 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Next Service Proxy For Kubernetes by F5

Big Ip Next Service Proxy For Kubernetes by F5

Big Ip Next Service Proxy For Kubernetes by F5

Big Ip Next Service Proxy For Kubernetes by F5

Big Ip Next Service Proxy For Kubernetes by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove vulnerable configuration

Block SIP traffic temporarily

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities