CVE-2025-54479 – This vulnerability in F5 BIG-IP systems allows ... (How to Fix)

Q: What is the severity of CVE-2025-54479?

CVE-2025-54479 has a CVSS score of 7.5 (HIGH). This vulnerability in F5 BIG-IP systems allows remote attackers to cause denial of service by sending specially crafted requests to virtual servers with classification profiles but without HTTP/HTTP2 profiles. This affects BIG-IP administrators who have configured classification profiles on virtual servers without proper HTTP profiles.

📋 TL;DR

This vulnerability in F5 BIG-IP systems allows remote attackers to cause denial of service by sending specially crafted requests to virtual servers with classification profiles but without HTTP/HTTP2 profiles. This affects BIG-IP administrators who have configured classification profiles on virtual servers without proper HTTP profiles.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: Affected versions include 17.1.x, 16.1.x, 15.1.x, and 14.1.x (specific ranges detailed in F5 advisory)

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when classification profile is configured on a virtual server without HTTP or HTTP/2 profile. End-of-Technical-Support versions are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption as TMM (Traffic Management Microkernel) terminates, causing all traffic management functions to fail on affected systems.

🟠

Likely Case

Denial of service affecting specific virtual servers, requiring manual intervention to restart services.

🟢

If Mitigated

Minimal impact if proper HTTP/HTTP2 profiles are configured or classification profiles are removed from vulnerable configurations.

🌐 Internet-Facing: HIGH - Virtual servers exposed to the internet can be targeted by unauthenticated attackers to cause service disruption.

🏢 Internal Only: MEDIUM - Internal attackers or misconfigured clients could trigger the vulnerability, but requires specific configuration conditions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending undisclosed requests to vulnerable configurations. No authentication required to trigger the TMM termination.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to F5 advisory K000151475 for specific fixed versions per release train

Vendor Advisory: https://my.f5.com/manage/s/article/K000151475

Restart Required: Yes

Instructions:

1. Review F5 advisory K000151475 for your specific version. 2. Download and apply the appropriate hotfix or upgrade to fixed version. 3. Restart TMM services as required. 4. Verify configuration changes persist after restart.

🔧 Temporary Workarounds

Remove classification profile from vulnerable virtual servers

all

Remove classification profiles from virtual servers that don't have HTTP or HTTP/2 profiles configured

tmsh modify ltm virtual <virtual_server_name> profiles delete { classification }

Add HTTP or HTTP/2 profile to virtual servers with classification

all

Ensure all virtual servers with classification profiles have either HTTP or HTTP/2 profiles configured

tmsh modify ltm virtual <virtual_server_name> profiles add { http }

🧯 If You Can't Patch

Apply workaround to remove classification profiles from vulnerable virtual servers or add HTTP/HTTP2 profiles
Implement network segmentation to restrict access to vulnerable virtual servers from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check virtual server configurations: tmsh list ltm virtual | grep -A5 -B5 'classification' and verify if HTTP/HTTP2 profiles are present

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify patch installation with 'tmsh show sys version' and confirm vulnerable configurations are remediated

📡 Detection & Monitoring

Log Indicators:

TMM termination events in /var/log/ltm
Unexpected service restarts
Connection resets on virtual servers

Network Indicators:

Sudden drop in traffic to specific virtual servers
Increased TCP RST packets from BIG-IP

SIEM Query:

source="*/var/log/ltm*" AND "TMM terminated" OR "segmentation fault" AND "classification"

📊 Metadata

CVE ID: CVE-2025-54479

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

EPSS Score: 0.13% exploit probability (32.9th percentile)

Published: October 15, 2025

Last Updated: October 21, 2025

🔗 References

https://my.f5.com/manage/s/article/K000151475 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54479, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Next Cloud Native Network Functions by F5

Big Ip Next Cloud Native Network Functions by F5

Big Ip Next Cloud Native Network Functions by F5

Big Ip Next Cloud Native Network Functions by F5

Big Ip Next Cloud Native Network Functions by F5

Big Ip Next For Kubernetes by F5

Big Ip Next For Kubernetes by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove classification profile from vulnerable virtual servers

Add HTTP or HTTP/2 profile to virtual servers with classification

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities