Introduction
Disruption of remote access services can halt business operations and lock out thousands of users in an instant. F5 BIG-IP Access Policy Manager (APM) is a cornerstone technology for secure application delivery and authentication in enterprises and service providers worldwide. On October 15, 2025, F5 disclosed CVE-2025-61960, a high severity vulnerability that allows remote, unauthenticated attackers to crash the core traffic engine of BIG-IP APM portal access, causing a denial of service for all users.
F5 Networks is a global leader in application delivery and security, with BIG-IP products deployed across critical infrastructure, Fortune 500 enterprises, and telecommunications providers. The Access Policy Manager (APM) module is widely used for secure remote access, VPN, and web portal authentication, making any vulnerability in this component highly impactful for organizations relying on continuous availability and secure access control.
Technical Information
CVE-2025-61960 is a NULL pointer dereference vulnerability (CWE-476) in the BIG-IP APM portal access logic. The flaw is triggered when a per-request policy is configured on a portal access virtual server and the system receives certain undisclosed traffic patterns. This causes the Traffic Management Microkernel (TMM), which handles all data plane traffic, to terminate and restart. The result is immediate disruption of all active connections and a temporary outage for all services handled by the affected BIG-IP instance.
The vulnerability is remotely exploitable with no authentication or user interaction required. Attackers only need network access to the vulnerable virtual server. The specific traffic that triggers the NULL pointer dereference has not been publicly disclosed by F5, which is a common practice for denial of service issues to prevent rapid weaponization. Only the data plane is affected; there is no exposure of the control plane or management interface.
Root cause analysis points to insufficient validation or error handling in the per-request policy processing path for portal access. When certain malformed or unexpected traffic is processed, the code attempts to dereference a NULL pointer, leading to a crash of the TMM process. This is consistent with the CWE-476 classification and with similar historical issues in complex traffic management software.
No code snippets or further technical details have been published by F5 or independent researchers as of the advisory date.
Affected Systems and Versions
CVE-2025-61960 affects the following F5 BIG-IP APM versions when a per-request policy is configured on a portal access virtual server:
- 17.5.0 through 17.5.1
- 17.1.0 through 17.1.2
- 16.1.0 through 16.1.5 (possibly 16.1.6, confirm with vendor advisory)
- 15.1.0 through 15.1.10
End of Technical Support (EoTS) versions were not evaluated by F5 and may also be vulnerable. Only configurations with per-request policies on portal access virtual servers are affected.
Vendor Security History
F5 has experienced multiple critical vulnerabilities in BIG-IP products, including remote code execution (CVE-2020-5902, CVE-2023-46747) and denial of service issues affecting the Traffic Management Microkernel and APM modules. In August 2025, F5 disclosed a nation-state breach that resulted in the theft of BIG-IP source code and vulnerability data, increasing scrutiny of their security practices and patch response. F5 generally provides timely advisories and patches across supported versions, but recurring issues with denial of service and authentication bypass have impacted customer trust and operational risk.