CVE-2025-20045

High

Published: 05 February 2025

Published

05 February 2025

Modified

21 October 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0056 68.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20045 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the NULL pointer dereference flaw in TMM by applying vendor patches or workarounds specified in the F5 security advisory.

SC-5 Denial-of-service Protection good match

preventdetect

Provides denial-of-service protection mechanisms such as traffic filtering or rate limiting to block or mitigate the undisclosed SIP traffic triggering TMM crashes.

SI-11 Error Handling partial match

prevent

Ensures error handling in the SIP ALG processing prevents crashes from invalid traffic leading to NULL pointer dereferences.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote unauthenticated exploitation of public-facing virtual server (T1190) via crafted traffic triggering application crash (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

When SIP session Application Level Gateway mode (ALG) profile with Passthru Mode enabled and SIP router ALG profile are configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software…

versions which have reached End of Technical Support (EoTS) are not evaluated.

Deeper analysisAI

CVE-2025-20045 is a denial-of-service vulnerability affecting the Traffic Management Microkernel (TMM) in F5 BIG-IP systems. It occurs when a SIP session Application Level Gateway (ALG) profile with Passthru Mode enabled, combined with a SIP router ALG profile, is configured on a Message Routing type virtual server. In this scenario, undisclosed traffic triggers a NULL pointer dereference (CWE-476), causing the TMM to terminate. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Software versions that have reached End of Technical Support (EoTS) were not evaluated.

Remote attackers can exploit this vulnerability over the network without authentication or user interaction. By sending the undisclosed traffic to the affected virtual server under the specified SIP ALG configurations, an attacker can cause the TMM to crash, resulting in a denial of service that disrupts traffic processing and potentially requires manual restart or failover.

The F5 security advisory provides details on mitigation and affected versions at https://my.f5.com/manage/s/article/K000138932.

Details

CWE(s): CWE-476

Affected Products

big-ip access policy manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip advanced firewall manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip advanced web application firewall

15.1.0 — 15.1.10 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip analytics

15.1.0 — 15.1.10 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip application acceleration manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip application security manager

15.1.0 — 15.1.10 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip application visibility and reporting

15.1.0 — 15.1.10 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip automation toolchain

15.1.0 — 15.1.10 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip carrier-grade nat

15.1.0 — 15.1.10 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip container ingress services

15.1.0 — 15.1.10 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

+11 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-21091Same product: F5 Big-Ip Access Policy Manager

CVE-2025-20058Same product: F5 Big-Ip Access Policy Manager

CVE-2025-21087Same product: F5 Big-Ip Access Policy Manager

CVE-2025-24320Same product: F5 Big-Ip Access Policy Manager

CVE-2025-20029Same product: F5 Big-Ip Access Policy Manager

CVE-2025-22846Same product: F5 Big-Ip Access Policy Manager

CVE-2025-23239Same product: F5 Big-Ip Access Policy Manager

CVE-2025-24312Same product: F5 Big-Ip Advanced Firewall Manager

CVE-2025-53521Same product: F5 Big-Ip Access Policy Manager

CVE-2025-22891Same product: F5 Big-Ip Policy Enforcement Manager

References

https://my.f5.com/manage/s/article/K000138932
Vendor Advisory · f5sirt@f5.com