How ZeroPath Works
Back to Blog

BIG-IP SSL Orchestrator CVE-2025-55036: Brief Summary of Out-of-Bounds Write Vulnerability

This post provides a brief summary of CVE-2025-55036, a high-severity out-of-bounds write vulnerability affecting F5 BIG-IP SSL Orchestrator when configured as an explicit forward proxy with proxy connect enabled. Includes affected version details, technical context, and vendor security history.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-15

BIG-IP SSL Orchestrator CVE-2025-55036: Brief Summary of Out-of-Bounds Write Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single malformed request can disrupt traffic inspection for thousands of users relying on F5 BIG-IP SSL Orchestrator. CVE-2025-55036 highlights how a specific configuration in a widely deployed security appliance can expose enterprise networks to denial-of-service risks.

F5 Networks is a major provider of application delivery and security solutions, with its BIG-IP product line deployed in many Fortune 500 companies, government agencies, and critical infrastructure. BIG-IP SSL Orchestrator is a specialized module for decrypting and orchestrating SSL/TLS traffic inspection across security devices, making it a central component in modern enterprise security architectures.

Technical Information

CVE-2025-55036 is an out-of-bounds write vulnerability (CWE-787) in the data plane of F5 BIG-IP SSL Orchestrator. The issue arises when the explicit forward proxy is configured on a virtual server and the proxy connect feature is enabled. In this configuration, specially crafted, undisclosed traffic can trigger memory corruption within the Traffic Management Microkernel (TMM). This leads to process termination and service degradation or denial of service. The vulnerability is remotely exploitable by unauthenticated attackers and does not require user interaction. Only the data plane is affected; the control plane remains unaffected. No public exploit code or detection method is available as of the advisory date.

Affected Systems and Versions

  • Product: F5 BIG-IP SSL Orchestrator
  • Affected versions:
    • 17.1.0 through 17.1.2 (inclusive)
    • 16.1.0 through 16.1.5 (inclusive)
  • Vulnerable only when:
    • Explicit forward proxy is configured on a virtual server
    • Proxy connect feature is enabled
  • Versions outside these ranges, including 17.1.3 and 16.1.6, are not affected.

Vendor Security History

F5 Networks has previously addressed vulnerabilities in BIG-IP products, including remote code execution, authentication bypass, and denial-of-service issues. The company maintains a quarterly security notification process and provides detailed advisories with affected version information and patch guidance. F5's response to vulnerabilities is generally prompt, and they support long-term support (LTS) releases for stability and security.

References

Detect & fix
what others miss

Get startedBook a demo