CVE-2025-59478
📋 TL;DR
A vulnerability in BIG-IP AFM DoS protection profiles allows specially crafted requests to crash the TMM process, causing denial of service. This affects BIG-IP systems with AFM DoS protection configured on virtual servers. Systems running software versions that have reached End of Technical Support are not evaluated but may still be vulnerable.
💻 Affected Systems
- F5 BIG-IP with AFM module
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage for all traffic handled by the affected virtual server due to TMM process termination, requiring manual intervention to restore service.
Likely Case
Intermittent service disruptions affecting availability of applications behind the vulnerable virtual server.
If Mitigated
Limited impact if traffic is load-balanced across multiple BIG-IP devices or if failover mechanisms are properly configured.
🎯 Exploit Status
Exploitation requires sending specific requests to the vulnerable virtual server. No authentication required based on CWE-824 (Access of Uninitialized Pointer) classification.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to F5 advisory K000152341 for fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000152341
Restart Required: Yes
Instructions:
1. Review F5 advisory K000152341 for affected versions. 2. Upgrade to a fixed version following F5's upgrade procedures. 3. Restart TMM processes after upgrade.
🔧 Temporary Workarounds
Disable AFM DoS Protection
allRemove or disable AFM DoS protection profiles from vulnerable virtual servers
tmsh modify ltm virtual <virtual_server_name> profiles delete { <afm_dos_profile_name> }
Implement Rate Limiting
allApply additional rate limiting or traffic shaping to limit request volume
tmsh create ltm profile http-compression <profile_name>
🧯 If You Can't Patch
- Implement network segmentation to restrict access to vulnerable virtual servers
- Deploy additional DoS protection layers (WAF, rate limiting appliances) in front of BIG-IP
🔍 How to Verify
Check if Vulnerable:
Check if AFM DoS protection profiles are configured on virtual servers: tmsh list ltm virtual one-line | grep -i afmCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify running version is not in affected range per F5 advisory and TMM processes remain stable under normal traffic📡 Detection & Monitoring
Log Indicators:
- TMM process termination events in /var/log/ltm
- High frequency of connection resets
- AFM DoS protection profile error messages
Network Indicators:
- Unusual traffic patterns to virtual servers with AFM DoS protection
- Sudden service unavailability followed by automatic recovery
SIEM Query:
source="/var/log/ltm" AND "TMM terminated" OR "process restart"