Introduction - Engaging opening that highlights real impact and significance
A single configuration change on a widely deployed F5 BIG-IP system can result in complete service interruption for critical applications. CVE-2025-58096 is a high-severity denial of service vulnerability that targets the Traffic Management Microkernel (TMM) when a specific non-default setting is enabled, exposing organizations to remote service outages.
About F5 Networks and BIG-IP: F5 Networks is a major vendor in the application delivery and security market, with BIG-IP serving as a foundational platform for load balancing, SSL offloading, and web application security. BIG-IP devices are deployed globally in enterprise, government, and service provider networks, making vulnerabilities in this platform highly impactful across industries.
Technical Information
CVE-2025-58096 is rooted in the TMM component of BIG-IP, which handles all data plane traffic processing. The vulnerability is only exposed when the database variable tm.tcpudptxchecksum is set to Software-only instead of the default hardware offload mode. In this configuration, TMM performs TCP and UDP checksum calculations in software rather than leveraging hardware acceleration.
When operating in Software-only mode, certain undisclosed traffic patterns can trigger an out-of-bounds write (CWE-787) in TMM. This results in immediate termination of the TMM process, causing all traffic to be dropped until the process restarts. The vulnerability is exploitable by remote unauthenticated attackers who can send crafted packets to any BIG-IP virtual server. The issue is strictly in the data plane and does not affect the control plane or management interfaces.
F5 has not published the specific packet structures or traffic characteristics that trigger the vulnerability. This limits the ability to create network-based detection or mitigation rules. The risk is only present when the non-default configuration is active, so configuration audits are necessary to determine exposure.
Affected Systems and Versions (MUST BE SPECIFIC)
The following BIG-IP versions are affected when tm.tcpudptxchecksum is set to Software-only:
- BIG-IP 15.1.0 through 15.1.10
- BIG-IP 16.1.0 through 16.1.6
- BIG-IP 17.1.0 through 17.1.2
- BIG-IP 17.5.0 through 17.5.1
Fixed versions:
- 15.1.10.8 or later
- 16.1.6.1 or later
- 17.1.3 or later
- 17.5.1.3 or later
Only systems with the non-default Software-only checksum configuration are vulnerable. Systems using the default hardware offload setting are not affected.
Vendor Security History
F5 Networks has a history of critical vulnerabilities in BIG-IP, particularly in TMM and management interfaces. Notable examples include:
- CVE-2020-5902: Remote code execution in TMUI, widely exploited
- CVE-2023-46747: Authentication bypass in configuration utility
- CVE-2025-53474: Buffer overflow in TMM with iRule configurations
F5 issues quarterly security notifications, provides engineering hotfixes, and backports patches to supported versions. Their response to vulnerabilities is generally prompt, but the complexity of BIG-IP and its central role in infrastructure make these issues high-impact.