CVE-2025-55669
📋 TL;DR
A vulnerability in F5 BIG-IP Advanced WAF and ASM allows undisclosed HTTP/2 traffic to cause the Traffic Management Microkernel (TMM) to terminate when specific configurations are present. This affects systems running vulnerable versions with both a security policy and server-side HTTP/2 profile configured. The vulnerability leads to denial of service.
💻 Affected Systems
- F5 BIG-IP Advanced WAF
- F5 BIG-IP ASM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage for affected virtual servers, potentially disrupting critical applications and services.
Likely Case
Intermittent service disruptions and performance degradation due to TMM restarts.
If Mitigated
Minimal impact if proper network segmentation and monitoring are in place to detect and respond to TMM failures.
🎯 Exploit Status
Undisclosed traffic pattern required; no authentication needed to send HTTP/2 requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check F5 advisory K000150752 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000150752
Restart Required: Yes
Instructions:
1. Review F5 advisory K000150752 for affected versions. 2. Download and apply the appropriate patch from F5 Downloads. 3. Restart TMM services after patching. 4. Verify the fix by testing HTTP/2 functionality.
🔧 Temporary Workarounds
Disable HTTP/2 Server Profile
allRemove or disable the server-side HTTP/2 profile from vulnerable virtual servers
tmsh modify ltm virtual <virtual_server_name> profiles delete { <http2_profile_name> }
Implement Rate Limiting
allApply rate limiting to HTTP/2 traffic to reduce attack surface
tmsh create ltm policy rate-limit-http2 rules add { http2_traffic { http-request rate-limit 100 per-second } }
🧯 If You Can't Patch
- Remove server-side HTTP/2 profiles from vulnerable virtual servers
- Implement network segmentation to restrict HTTP/2 traffic to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check virtual server configuration for both security policy and server-side HTTP/2 profile: tmsh list ltm virtual <name> | grep -E 'profiles|policy'Check Version:
tmsh show sys versionVerify Fix Applied:
Verify patch version and test HTTP/2 traffic to ensure TMM remains stable📡 Detection & Monitoring
Log Indicators:
- TMM termination/restart events in /var/log/ltm
- Unexpected virtual server downtime logs
Network Indicators:
- Spike in HTTP/2 traffic followed by service interruption
- TCP connection resets from affected virtual servers
SIEM Query:
source="*/var/log/ltm*" AND "TMM terminated" OR "TMM restarting"