Introduction
Unexpected service interruptions on F5 BIG-IP systems can disrupt critical application delivery for enterprises and service providers. CVE-2025-61951 highlights a scenario where a specific DTLS 1.2 configuration causes the Traffic Management Microkernel (TMM) to terminate, resulting in denial of service for affected virtual servers.
About F5 Networks and BIG-IP: F5 Networks is a leading vendor in the application delivery and security space, with its BIG-IP platform deployed in thousands of enterprises and service providers worldwide. BIG-IP is central to load balancing, SSL offloading, and secure traffic management for high-value applications. F5's security advisories and quarterly notifications are closely watched by network and security teams due to the platform's critical role in modern infrastructure.
Technical Information
CVE-2025-61951 is an out-of-bounds read vulnerability (CWE-125) in the BIG-IP Traffic Management Microkernel (TMM) process, specifically when handling DTLS 1.2 handshakes. The vulnerability is triggered under these conditions:
- A BIG-IP DTLS 1.2 virtual server is enabled.
- The Server SSL profile attached to the virtual server is configured with a certificate, key, and the SSL Sign Hash parameter set to ANY.
- The backend server is also configured for DTLS 1.2 and requires client authentication.
The root cause is insufficient bounds checking during DTLS handshake processing, particularly when the 'ANY' setting for the SSL Sign Hash parameter allows negotiation of multiple signature algorithms. When combined with client authentication requirements, this can result in TMM reading beyond allocated buffer boundaries. The result is a TMM process termination, which disrupts all traffic handled by the affected TMM instance.
This issue is not present in default configurations and only arises when all the above criteria are met. The vulnerability does not lead to information disclosure but results in a denial of service by crashing the TMM process.
Affected Systems and Versions
- Products: F5 BIG-IP
- Vulnerable versions:
- All BIG-IP versions prior to 17.5.1.3 and 17.1.3
- Fixed versions:
- 17.5.1.3
- 17.1.3
- Vulnerable configurations:
- DTLS 1.2 virtual server enabled
- Server SSL profile with certificate, key, and SSL Sign Hash set to ANY
- Backend server with DTLS 1.2 and client authentication enabled
- Note: Versions that have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable.
Vendor Security History
F5 Networks has addressed multiple vulnerabilities in the BIG-IP TMM component in recent years, including buffer overflows and denial of service issues (for example, CVE-2025-53474 and CVE-2025-58424). F5 typically issues quarterly security notifications and provides detailed advisories and fixed versions for supported products. The vendor's response time and transparency are generally regarded as mature, with structured advisories and clear upgrade guidance.