CVE-2025-61951
📋 TL;DR
This vulnerability allows attackers to cause denial of service by sending undisclosed traffic to F5 BIG-IP systems with specific DTLS configurations. The Traffic Management Microkernel (TMM) terminates when exploited, disrupting traffic management services. Affected systems are F5 BIG-IP devices running vulnerable versions with DTLS 1.2 virtual servers configured with specific SSL profile settings.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of all traffic managed by the affected BIG-IP system, potentially affecting multiple applications and services simultaneously.
Likely Case
Targeted denial of service against specific DTLS-enabled services, causing intermittent outages for applications using DTLS 1.2 with the vulnerable configuration.
If Mitigated
Minimal impact if systems are patched or the vulnerable configuration is not in use.
🎯 Exploit Status
Exploitation requires sending specific undisclosed traffic to vulnerable configurations. No authentication required to trigger the TMM termination.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check F5 advisory K000151309 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000151309
Restart Required: Yes
Instructions:
1. Review F5 advisory K000151309 for affected versions. 2. Upgrade to recommended fixed version. 3. Restart TMM services after upgrade. 4. Verify configuration changes persist.
🔧 Temporary Workarounds
Disable vulnerable DTLS configuration
allModify SSL profile to not use 'ANY' for SSL Sign Hash or disable DTLS 1.2 virtual servers with the vulnerable configuration
tmsh modify ltm profile client-ssl <profile_name> sign-hash <specific_hash>
tmsh modify ltm virtual <virtual_name> profiles remove { <dtls_profile> }
🧯 If You Can't Patch
- Implement network segmentation to restrict access to DTLS virtual servers
- Deploy rate limiting or WAF rules to detect and block suspicious DTLS traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check if DTLS 1.2 virtual servers exist with SSL profiles configured with certificate, key, and SSL Sign Hash set to ANY, and backend servers with DTLS 1.2 and client authentication enabled.Check Version:
tmsh show sys versionVerify Fix Applied:
Verify upgraded version matches F5's fixed version list and confirm vulnerable configuration is no longer present.📡 Detection & Monitoring
Log Indicators:
- TMM process termination logs
- Unexpected service restarts in /var/log/ltm
- DTLS connection failures
Network Indicators:
- Sudden drop in DTLS traffic
- Increased DTLS connection attempts to specific ports
SIEM Query:
source="f5_bigip" AND (event_type="process_termination" OR message="TMM")