CVE-2025-58096
📋 TL;DR
A configuration-specific vulnerability in F5 BIG-IP systems where setting the tm.tcpudptxchecksum database variable to 'Software-only' (non-default) can cause the Traffic Management Microkernel (TMM) to terminate when processing undisclosed traffic. This affects BIG-IP administrators who have changed this specific setting from its default value.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
⚠️ Risk & Real-World Impact
Worst Case
Complete TMM termination leading to denial of service for all traffic processed by BIG-IP, potentially disrupting critical network services and applications.
Likely Case
Intermittent TMM crashes causing service disruptions and requiring manual intervention to restore functionality.
If Mitigated
No impact if the tm.tcpudptxchecksum variable remains at default setting or if affected systems are patched.
🎯 Exploit Status
Exploitation requires sending specific traffic to trigger the condition; no authentication needed but requires knowledge of vulnerable configuration
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to F5 advisory K000156691 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000156691
Restart Required: Yes
Instructions:
1. Review F5 advisory K000156691 for affected versions. 2. Upgrade to patched version. 3. Restart TMM services. 4. Verify configuration remains secure.
🔧 Temporary Workarounds
Revert to default checksum setting
allChange tm.tcpudptxchecksum database variable back to default value
tmsh modify sys db tm.tcpudptxchecksum value default
🧯 If You Can't Patch
- Ensure tm.tcpudptxchecksum database variable is set to default value (not 'Software-only')
- Implement network segmentation to limit traffic exposure to BIG-IP systems
🔍 How to Verify
Check if Vulnerable:
Check current tm.tcpudptxchecksum setting: tmsh list sys db tm.tcpudptxchecksum | grep valueCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify version is patched per F5 advisory and tm.tcpudptxchecksum is not set to 'Software-only'📡 Detection & Monitoring
Log Indicators:
- TMM process termination/crash logs
- High availability failover events
- System log entries indicating TMM restarts
Network Indicators:
- Sudden traffic drops through BIG-IP
- Increased latency or connection failures
SIEM Query:
source="bigip_logs" AND ("TMM terminated" OR "TMM crash" OR "failover event")