Introduction
Unexpected outages on F5 BIG-IP can disrupt critical business applications and services, especially when triggered by crafted HTTP/2 traffic. On October 15, 2025, F5 disclosed CVE-2025-55669, a high-severity vulnerability in the BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) modules when combined with server-side HTTP/2 profiles. The flaw allows remote, unauthenticated attackers to cause the Traffic Management Microkernel (TMM) to terminate, resulting in denial of service for all traffic handled by the affected virtual server.
About F5 Networks and BIG-IP: F5 Networks is a major vendor in the application delivery and security market, with its BIG-IP platform widely deployed in enterprise, government, and service provider environments. BIG-IP provides advanced traffic management, load balancing, and security features, and is considered a critical infrastructure component for many organizations.
Technical Information
CVE-2025-55669 is triggered when a BIG-IP virtual server is configured with both an Advanced WAF or ASM security policy and a server-side HTTP/2 profile. Under these conditions, certain undisclosed HTTP/2 traffic patterns can cause the TMM process to terminate unexpectedly. The vulnerability is classified as CWE-672 (Operation on a Resource after Expiration or Release), which typically involves use-after-free or similar resource management errors.
The root cause is likely due to complex interactions between HTTP/2 stream lifecycle management and the enforcement of WAF or ASM security policies. When HTTP/2 streams are rapidly created, reset, or closed, and security inspection is performed on these streams, there is potential for the TMM to reference memory or resources that have already been released. This results in a crash of the TMM process, leading to a denial of service for the affected virtual server. No public code snippets or detailed exploit traffic have been disclosed by F5, and the exact triggering sequence remains undisclosed to limit exploitation risk.
Affected Systems and Versions
- Products: F5 BIG-IP Advanced WAF and Application Security Manager (ASM)
- Affected only when BOTH a security policy (WAF or ASM) AND a server-side HTTP/2 profile are configured on the same virtual server
- Version ranges:
- BIG-IP 17.1.0 through 17.1.2
- BIG-IP 16.1.0 through 16.1.5
- Fixed in: BIG-IP 17.1.2.2
Vendor Security History
F5 has previously addressed several critical vulnerabilities in BIG-IP, including:
- CVE-2020-5902: Remote code execution in the management interface
- CVE-2021-23009: TMM crash on malformed HTTP/2 traffic
- CVE-2025-54500: HTTP/2 DoS via CPU exhaustion
F5 typically provides prompt advisories and patch releases, with detailed quarterly security notifications and upgrade guidance. The company has a mature vulnerability disclosure process and regularly updates its security best practices.