Introduction
A single malformed request can take down critical application delivery infrastructure, disrupting services that rely on F5 BIG-IP Advanced Firewall Manager (AFM) for denial of service protection. CVE-2025-59478 exposes a flaw in the DoS protection profile mechanism, allowing remote attackers to trigger a denial of service by terminating the Traffic Management Microkernel (TMM) process on affected systems.
About F5 Networks and BIG-IP: F5 Networks is a global leader in application delivery and security, with its BIG-IP product line deployed in large enterprises, service providers, and critical infrastructure environments worldwide. BIG-IP AFM is a key module providing advanced firewall and DoS protection capabilities, making vulnerabilities in this platform highly impactful across the tech industry.
Technical Information
CVE-2025-59478 is rooted in the way BIG-IP AFM handles DoS protection profiles configured on virtual servers. When a specially crafted, undisclosed network request is sent to a virtual server with a DoS protection profile, the Traffic Management Microkernel (TMM) process can access an uninitialized pointer (CWE-824). This results in a process crash, causing immediate denial of service for all traffic managed by that TMM instance.
- The vulnerability is limited to the data plane and does not affect the control plane or management interfaces.
- Exploitation does not require authentication and can be performed remotely.
- Attack complexity is low once the request format is known, but F5 has not disclosed the exact triggering sequence.
- The issue only arises if AFM is licensed and a DoS protection profile is actively configured on a virtual server.
No public code snippets or detailed exploit payloads have been released. The root cause is an uninitialized pointer access within the TMM process when processing certain requests under the DoS protection profile logic.
Affected Systems and Versions
The following BIG-IP AFM versions are affected:
- 17.5.0
- 17.1.0 through 17.1.2
- 15.1.0 through 15.1.10
Only systems with AFM licensed and a DoS protection profile configured on at least one virtual server are vulnerable. Versions that have reached End of Technical Support (EoTS) are not evaluated by F5 and may or may not be affected.
Vendor Security History
F5 Networks regularly publishes quarterly security notifications and has a track record of addressing vulnerabilities in its BIG-IP product line. Previous issues have included authentication bypass, remote code execution, and denial of service vulnerabilities. F5 typically provides timely advisories, detailed technical documentation, and patch guidance. The company recommends high availability deployment as a standard resilience measure and provides engineering hotfixes for supported versions when possible.