CVE-2025-23412

High

Published: 05 February 2025

Published

05 February 2025

Modified

12 November 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0048 65.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

When BIG-IP APM Access Profile is configured on a virtual server, undisclosed request can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Security Summary

CVE-2025-23412 affects F5 BIG-IP systems configured with an Access Policy Manager (APM) Access Profile on a virtual server. The vulnerability allows an undisclosed request to cause the Traffic Management Microkernel (TMM) to terminate, resulting in a denial-of-service condition. It is classified under CWE-120 (Buffer Copy without Checking Size of Input) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated attacker with network access to the vulnerable virtual server can exploit this issue with low complexity and no user interaction required. Exploitation triggers TMM termination, which disrupts traffic processing and may require manual intervention to restore service on the affected BIG-IP instance.

F5 security advisory K000141003, available at https://my.f5.com/manage/s/article/K000141003, details affected versions and recommended mitigations or patches. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.

Details

CWE(s): CWE-120

Affected Products

big-ip access policy manager

16.1.3 — 16.1.5 · 17.1.0 — 17.1.2

References

https://my.f5.com/manage/s/article/K000141003
Vendor Advisory · f5sirt@f5.com