CVE-2025-59778
📋 TL;DR
This vulnerability in F5OS-C partition control plane allows undisclosed traffic to cause multiple container terminations when the Allowed IP Addresses feature is configured. This affects F5OS-C users with the feature enabled, potentially leading to service disruption. Only supported software versions are affected, not those at End of Technical Support.
💻 Affected Systems
- F5OS-C
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption with multiple critical containers terminating, causing extended downtime and potential data loss.
Likely Case
Service interruption affecting specific containers, requiring manual intervention to restore functionality.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.
🎯 Exploit Status
Exploitation requires sending specific undisclosed traffic patterns to systems with the vulnerable feature enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in CVE; check vendor advisory for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000151718
Restart Required: Yes
Instructions:
1. Review vendor advisory for affected versions. 2. Apply recommended patches from F5. 3. Restart affected services. 4. Verify patch application and functionality.
🔧 Temporary Workarounds
Disable Allowed IP Addresses Feature
allTemporarily disable the vulnerable feature until patching can be completed
# Consult F5 documentation for specific commands to disable Allowed IP Addresses feature
Implement Network Controls
allRestrict network access to the partition control plane to trusted sources only
# Configure firewall rules to limit access to F5OS-C control plane
🧯 If You Can't Patch
- Implement strict network segmentation to isolate F5OS-C control plane traffic
- Enable enhanced monitoring and alerting for container termination events
🔍 How to Verify
Check if Vulnerable:
Check if Allowed IP Addresses feature is enabled on F5OS-C partition control plane and compare version against vendor advisoryCheck Version:
# Use F5OS CLI commands to check current version: show versionVerify Fix Applied:
Verify patch version is installed and test that undisclosed traffic no longer causes container termination📡 Detection & Monitoring
Log Indicators:
- Multiple container termination events in short timeframe
- Unexpected process crashes in F5OS-C logs
- Error messages related to Allowed IP Addresses feature
Network Indicators:
- Unusual traffic patterns to partition control plane
- Traffic from unexpected sources to F5OS-C
SIEM Query:
source="f5os-c" AND ("container terminated" OR "process crash" OR "allowed ip")