How ZeroPath Works
Back to Blog

F5 BIG-IP PEM CVE-2025-54479: Brief Summary of Traffic Management Microkernel DoS Vulnerability

This post provides a brief summary of CVE-2025-54479, a high-severity denial of service vulnerability in F5 BIG-IP Policy Enforcement Manager. The flaw allows remote attackers to terminate the Traffic Management Microkernel under specific configuration conditions, causing traffic disruption. Includes affected versions, technical details, and references.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-15

F5 BIG-IP PEM CVE-2025-54479: Brief Summary of Traffic Management Microkernel DoS Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Traffic disruption in critical network infrastructure can have immediate and far-reaching impact for service providers and enterprises. On October 15, 2025, F5 Networks disclosed a high-severity vulnerability in their BIG-IP Policy Enforcement Manager (PEM) product line that allows remote attackers to terminate the Traffic Management Microkernel (TMM) under specific configuration conditions, causing a denial of service.

About F5 Networks and BIG-IP: F5 Networks is a major global vendor in application delivery and security, with their BIG-IP platform widely deployed in telecommunications, large enterprises, and service provider networks. BIG-IP Policy Enforcement Manager is a specialized module for advanced traffic classification and policy enforcement, often used in high-throughput, mission-critical environments.

Technical Information

CVE-2025-54479 is triggered when a classification profile is configured on a BIG-IP virtual server without an HTTP or HTTP/2 profile. In this misconfiguration scenario, certain undisclosed network requests can cause the Traffic Management Microkernel (TMM) to perform an out-of-bounds write (CWE-787), resulting in process termination. The classification engine attempts to analyze application-layer traffic without the necessary protocol parsing logic, leading to a memory boundary violation. This causes TMM to crash and restart, disrupting all traffic processed by the affected instance.

  • The vulnerability is remotely exploitable without authentication.
  • Only the data plane (traffic processing) is affected; there is no control plane exposure.
  • The specific request patterns that trigger the issue are not publicly disclosed by F5.
  • No code snippets or proof of concept details are available in public sources.

Affected Systems and Versions

  • Affects F5 BIG-IP Policy Enforcement Manager (PEM)
  • Also affects BIG-IP Next CNF and BIG-IP Next for Kubernetes
  • Vulnerable when a classification profile is configured on a virtual server without an HTTP or HTTP/2 profile
  • Only versions under active technical support are evaluated; End of Technical Support (EoTS) versions are not covered
  • For exact fixed versions, refer to the official F5 advisory

Vendor Security History

F5 Networks has a history of critical vulnerabilities in the BIG-IP platform, including previous TMM-related issues and remote code execution flaws. The vendor typically addresses these through quarterly security notifications and is recognized for transparent disclosure and timely patch releases. However, the operational complexity of their products means vulnerabilities can have significant impact before patches are widely deployed.

References

Detect & fix
what others miss

Get startedBook a demo