CVE-2025-41431
📋 TL;DR
This vulnerability allows undisclosed requests to cause the Traffic Management Microkernel (TMM) to terminate on standby BIG-IP systems when connection mirroring is configured. This affects BIG-IP systems running vulnerable versions with connection mirroring enabled in traffic groups. The termination can lead to service disruption in high-availability configurations.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage in high-availability environments when standby systems fail and primary systems become overloaded or fail, causing denial of service for all traffic managed by the BIG-IP system.
Likely Case
Service disruption in traffic groups with connection mirroring enabled, potentially causing failover events and temporary loss of traffic processing capability.
If Mitigated
Minimal impact with proper monitoring and failover mechanisms in place, though some service degradation may occur during failover events.
🎯 Exploit Status
The vulnerability can be triggered by undisclosed requests, suggesting relatively simple exploitation. No public exploit details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to K000150668 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000150668
Restart Required: Yes
Instructions:
1. Review K000150668 advisory for affected versions
2. Upgrade to fixed version specified in advisory
3. Restart TMM services after upgrade
4. Verify connection mirroring functionality post-upgrade
🔧 Temporary Workarounds
Disable Connection Mirroring
allTemporarily disable connection mirroring on virtual servers in traffic groups to eliminate the vulnerability vector
tmsh modify ltm virtual <virtual_server_name> mirror disabled
🧯 If You Can't Patch
- Implement network segmentation to restrict access to BIG-IP management interfaces
- Deploy additional monitoring for TMM process termination and failover events
🔍 How to Verify
Check if Vulnerable:
Check if connection mirroring is enabled on any virtual servers: tmsh list ltm virtual | grep -i mirrorCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify running version matches fixed version from K000150668 and test connection mirroring functionality📡 Detection & Monitoring
Log Indicators:
- TMM process termination logs in /var/log/ltm
- Failover events in /var/log/ha.log
- Connection mirroring error messages
Network Indicators:
- Unusual traffic patterns to virtual servers with mirroring enabled
- Increased failover events between BIG-IP systems
SIEM Query:
source="*/var/log/ltm*" AND ("TMM terminated" OR "connection mirroring")