CVE-2025-60016
📋 TL;DR
This vulnerability in F5 BIG-IP systems causes a denial of service when specific ECC Brainpool curves are configured in SSL profiles. Attackers can send crafted traffic to trigger TMM termination, disrupting service availability. Organizations using affected F5 BIG-IP versions with these specific cipher configurations are impacted.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption with TMM termination causing all traffic through affected virtual servers to stop, requiring manual intervention to restore service.
Likely Case
Intermittent service outages affecting SSL/TLS traffic on vulnerable virtual servers, leading to application downtime and user impact.
If Mitigated
No impact if vulnerable cipher configurations are not used or systems are patched/updated.
🎯 Exploit Status
Exploitation requires sending specific traffic to vulnerable virtual servers but does not require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in: 17.1.1.1, 16.1.5.1, 15.1.11.1, 14.1.6.1, 13.1.6.1
Vendor Advisory: https://my.f5.com/manage/s/article/K000139514
Restart Required: Yes
Instructions:
1. Download appropriate fixed version from F5 Downloads. 2. Backup configuration. 3. Install update via F5 management interface. 4. Reboot system as required. 5. Verify TMM restarts successfully.
🔧 Temporary Workarounds
Remove vulnerable cipher configurations
allRemove ECC Brainpool curves from SSL profile cipher rules/groups
tmsh modify ltm profile client-ssl <profile_name> ciphers remove 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256'
tmsh modify ltm profile server-ssl <profile_name> ciphers remove 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256'
🧯 If You Can't Patch
- Remove all ECC Brainpool curve configurations from SSL profiles immediately
- Implement network controls to limit traffic to affected virtual servers
🔍 How to Verify
Check if Vulnerable:
Check SSL profiles for brainpoolP256r1, brainpoolP384r1, or brainpoolP512r1 cipher configurations using: tmsh list ltm profile client-ssl | grep -i brainpoolCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify version is patched: tmsh show sys version | grep -i version, and confirm brainpool curves removed from SSL profiles📡 Detection & Monitoring
Log Indicators:
- TMM termination/crash logs in /var/log/ltm
- Unexpected virtual server restarts
- High availability failover events
Network Indicators:
- Sudden drops in SSL/TLS traffic to specific virtual servers
- Connection resets on affected ports
SIEM Query:
source="*/var/log/ltm*" AND ("TMM terminated" OR "panic" OR "segmentation fault")