CVE-2025-24497 – This vulnerability in F5 BIG-IP systems allows ... (How to Fix)

Q: What is the severity of CVE-2025-24497?

CVE-2025-24497 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP systems allows attackers to cause Traffic Management Microkernel (TMM) termination by sending specific requests to virtual servers with URL categorization enabled. This leads to denial of service, affecting availability of network services. Organizations running affected F5 BIG-IP versions with URL categorization configured are vulnerable.

📋 TL;DR

This vulnerability in F5 BIG-IP systems allows attackers to cause Traffic Management Microkernel (TMM) termination by sending specific requests to virtual servers with URL categorization enabled. This leads to denial of service, affecting availability of network services. Organizations running affected F5 BIG-IP versions with URL categorization configured are vulnerable.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: Affected versions: 17.1.0 - 17.1.1, 16.1.0 - 16.1.5, 15.1.0 - 15.1.11, 14.1.0 - 14.1.6, 13.1.0 - 13.1.6

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when URL categorization is configured on a virtual server. Versions that have reached End of Technical Support (EoTS) are not evaluated.

📦 What is this software?

Big Ip Policy Enforcement Manager by F5

View all CVEs affecting Big Ip Policy Enforcement Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption with TMM termination causing all traffic through the affected virtual server to be dropped, potentially affecting multiple applications and services.

🟠

Likely Case

Intermittent service outages as TMM restarts, causing temporary traffic disruption and potential session loss for users.

🟢

If Mitigated

Minimal impact if proper monitoring and automatic failover mechanisms are in place to handle TMM restarts.

🌐 Internet-Facing: HIGH - Virtual servers with URL categorization exposed to the internet can be directly targeted by attackers to cause service disruption.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to disrupt internal services, but requires access to internal network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific requests to vulnerable virtual servers but does not require authentication. The exact request pattern is undisclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in: 17.1.1.2, 16.1.5.1, 15.1.11.1, 14.1.6.1, 13.1.6.1

Vendor Advisory: https://my.f5.com/manage/s/article/K000140920

Restart Required: Yes

Instructions:

1. Download appropriate fixed version from F5 Downloads. 2. Backup current configuration. 3. Install update following F5 upgrade procedures. 4. Restart TMM services. 5. Verify functionality.

🔧 Temporary Workarounds

Disable URL Categorization

F5 BIG-IP

Temporarily disable URL categorization on vulnerable virtual servers to prevent exploitation while planning patching.

tmsh modify ltm virtual <virtual_server_name> security url-categorization disabled

🧯 If You Can't Patch

Implement network segmentation to restrict access to virtual servers with URL categorization enabled
Deploy WAF or IPS rules to block suspicious requests patterns targeting URL categorization functionality

🔍 How to Verify

Check if Vulnerable:

Check if running affected version: tmsh show sys version. Check URL categorization status: tmsh list ltm virtual <name> security | grep url-categorization

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify version is patched: tmsh show sys version. Monitor TMM process stability and check logs for termination events.

📡 Detection & Monitoring

Log Indicators:

TMM termination events in /var/log/ltm
Unexpected TMM restarts
High frequency of requests to URL categorization endpoints

Network Indicators:

Sudden drop in traffic to specific virtual servers
Increased error responses from BIG-IP

SIEM Query:

source="*/var/log/ltm*" AND "TMM terminated" OR "TMM restarting"

📊 Metadata

CVE ID: CVE-2025-24497

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

EPSS Score: 0.34% exploit probability (56.3th percentile)

Published: February 5, 2025

Last Updated: August 6, 2025

🔗 References

https://my.f5.com/manage/s/article/K000140920 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24497, you might also want to check these: