CVE-2025-52585
📋 TL;DR
A vulnerability in F5 BIG-IP LTM allows remote attackers to cause denial of service by sending specially crafted requests to virtual servers with specific SSL configurations. This affects BIG-IP systems with Client SSL profiles configured with SSL Forward Proxy enabled and Anonymous Diffie-Hellman ciphers enabled, causing the Traffic Management Microkernel to terminate.
💻 Affected Systems
- F5 BIG-IP LTM
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of affected virtual servers, requiring manual intervention to restart TMM processes and restore functionality.
Likely Case
Intermittent service outages affecting SSL/TLS traffic processing on vulnerable configurations, leading to availability issues.
If Mitigated
No impact if ADH ciphers are disabled or SSL Forward Proxy is not configured on Client SSL profiles.
🎯 Exploit Status
Exploitation requires sending specific requests to vulnerable configurations but does not require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to F5 advisory K000141436 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000141436
Restart Required: Yes
Instructions:
1. Review F5 advisory K000141436 for affected versions. 2. Upgrade to fixed version per F5 documentation. 3. Restart TMM processes after upgrade.
🔧 Temporary Workarounds
Disable Anonymous Diffie-Hellman ciphers
allRemove ADH ciphers from SSL profiles to prevent exploitation
tmsh modify ltm profile client-ssl <profile_name> ciphers !ADH
Disable SSL Forward Proxy on Client SSL profiles
allRemove SSL Forward Proxy configuration from vulnerable profiles
tmsh modify ltm profile client-ssl <profile_name> forward-proxy bypass
🧯 If You Can't Patch
- Apply workaround to disable ADH ciphers on all Client SSL profiles with SSL Forward Proxy enabled
- Implement network controls to restrict access to vulnerable virtual servers
🔍 How to Verify
Check if Vulnerable:
Check if any Client SSL profiles have both SSL Forward Proxy enabled and ADH ciphers enabled using: tmsh list ltm profile client-ssl | grep -A5 -B5 'forward-proxy\|ADH'Check Version:
tmsh show sys versionVerify Fix Applied:
Verify ADH ciphers are disabled and/or SSL Forward Proxy is disabled on Client SSL profiles📡 Detection & Monitoring
Log Indicators:
- TMM process termination logs
- SSL handshake failures
- Connection resets on SSL virtual servers
Network Indicators:
- Sudden drop in SSL/TLS traffic
- Increased TCP resets on port 443/other SSL ports
SIEM Query:
source="bigip.log" AND ("TMM terminated" OR "SSL handshake failed" OR "ADH cipher")