CVE-2025-23412 – This vulnerability in BIG-IP APM allows an atta... (How to Fix)

Q: What is the severity of CVE-2025-23412?

CVE-2025-23412 has a CVSS score of 7.5 (HIGH). This vulnerability in BIG-IP APM allows an attacker to send specially crafted requests that cause the Traffic Management Microkernel (TMM) to terminate, resulting in denial of service. It affects F5 BIG-IP systems with APM Access Profile configured on virtual servers. Organizations using affected BIG-IP versions with APM functionality are vulnerable.

📋 TL;DR

This vulnerability in BIG-IP APM allows an attacker to send specially crafted requests that cause the Traffic Management Microkernel (TMM) to terminate, resulting in denial of service. It affects F5 BIG-IP systems with APM Access Profile configured on virtual servers. Organizations using affected BIG-IP versions with APM functionality are vulnerable.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: Affected versions per F5 advisory K000141003 (specific versions not provided in query)

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when APM Access Profile is configured on a virtual server. Systems without APM or without APM configured on virtual servers are not affected.

📦 What is this software?

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for all traffic passing through the BIG-IP system, requiring manual intervention to restart TMM processes.

🟠

Likely Case

Intermittent service disruption affecting APM-protected applications, potentially requiring TMM process restarts.

🟢

If Mitigated

Limited impact with proper network segmentation and request filtering in place.

🌐 Internet-Facing: HIGH - Internet-facing BIG-IP systems with APM are directly exposed to attack.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires sending specific undisclosed requests to vulnerable configuration. No authentication bypass indicated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to F5 advisory K000141003 for fixed versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000141003

Restart Required: No

Instructions:

1. Review F5 advisory K000141003 for affected versions. 2. Upgrade to fixed version per F5 recommendations. 3. Apply patch following F5 standard upgrade procedures. 4. Verify TMM processes remain stable after upgrade.

🔧 Temporary Workarounds

Disable APM on vulnerable virtual servers

all

Remove APM Access Profile configuration from virtual servers if not required

tmsh modify ltm virtual <virtual_server_name> profiles delete { <apm_profile_name> }

Implement request filtering

all

Use iRules or security policies to filter suspicious requests

when HTTP_REQUEST { if { [HTTP::uri] contains "suspicious_pattern" } { reject } }

🧯 If You Can't Patch

Implement network segmentation to restrict access to APM-configured virtual servers
Deploy WAF or additional filtering layer in front of BIG-IP to block malicious requests

🔍 How to Verify

Check if Vulnerable:

Check if APM Access Profile is configured on any virtual server: tmsh list ltm virtual one-line | grep -i apm

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify BIG-IP version is updated to fixed version and monitor TMM process stability

📡 Detection & Monitoring

Log Indicators:

TMM process crashes in /var/log/ltm
High frequency of connection resets
APM access log anomalies

Network Indicators:

Unusual request patterns to APM endpoints
Sudden increase in connection failures

SIEM Query:

source="bigip_logs" AND ("TMM terminated" OR "segmentation fault" OR "access violation")

📊 Metadata

CVE ID: CVE-2025-23412

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

EPSS Score: 0.34% exploit probability (56.3th percentile)

Published: February 5, 2025

Last Updated: November 12, 2025

🔗 References

https://my.f5.com/manage/s/article/K000141003 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23412, you might also want to check these: