CVE-2025-22846

High

Published: 05 February 2025

Published

05 February 2025

Modified

10 September 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0042 61.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22846 is a high-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in F5 Big-Ip Next Service Proxy For Kubernetes. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 38.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly addresses the vulnerability by applying F5 patches to fix the TMM termination issue triggered by SIP ALG traffic.

SC-5 Denial-of-service Protection good match

prevent

Denial-of-service protection identifies and blocks or rate-limits the undisclosed traffic exploiting the vulnerable virtual server configuration.

CM-7 Least Functionality partial match

prevent

Least functionality restricts enabling unnecessary SIP Session and Router ALG profiles on Message Routing virtual servers, preventing the vulnerable condition.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote exploitation of a crafted traffic condition to crash the TMM process on a public-facing virtual server, directly mapping to application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

When SIP Session and Router ALG profiles are configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not…

evaluated.

Deeper analysisAI

CVE-2025-22846 is a denial-of-service vulnerability affecting F5 BIG-IP systems. When SIP Session and Router ALG profiles are configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. The issue is classified under CWE-404 (Improper Resource Shutdown or Release) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). It was published on 2025-02-05.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. By sending the undisclosed traffic to the affected virtual server configuration, the attacker can terminate the TMM process, resulting in a denial of service that disrupts traffic management and availability.

F5 has published a security advisory at https://my.f5.com/manage/s/article/K000139780 addressing the vulnerability. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated.

Details

CWE(s): CWE-404

Affected Products

big-ip next service proxy for kubernetes

1.8.0, 1.8.1, 1.8.2, 1.9.0 · 1.7.0 — 1.7.7

big-ip access policy manager

15.1.0 — 15.1.10.6.0.11.6 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip advanced firewall manager

15.1.0 — 15.1.10.6.0.11.6-ENG · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip analytics

15.1.0 — 15.1.10.6.0.11.6 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip application acceleration manager

15.1.0 — 15.1.10.6.0.11.6 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip application security manager

15.1.0 — 15.1.10.6.0.11.6 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip domain name system

15.1.0 — 15.1.10.6.0.11.6 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip fraud protection service

15.1.0 — 15.1.10.6.0.11.6 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip global traffic manager

15.1.0 — 15.1.10.6.0.11.6 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

big-ip link controller

15.1.0 — 15.1.10.6.0.11.6 · 16.1.0 — 16.1.5 · 17.1.0 — 17.1.2

+2 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-21087Same product: F5 Big-Ip Access Policy Manager

CVE-2025-23239Same product: F5 Big-Ip Access Policy Manager

CVE-2025-21091Same product: F5 Big-Ip Access Policy Manager

CVE-2025-20058Same product: F5 Big-Ip Access Policy Manager

CVE-2025-20045Same product: F5 Big-Ip Access Policy Manager

CVE-2025-22891Same product: F5 Big-Ip Policy Enforcement Manager

CVE-2025-24326Same product: F5 Big-Ip Application Security Manager

CVE-2025-23412Same product: F5 Big-Ip Access Policy Manager

CVE-2025-20029Same product: F5 Big-Ip Access Policy Manager

CVE-2025-24320Same product: F5 Big-Ip Access Policy Manager

References

https://my.f5.com/manage/s/article/K000139780
Vendor Advisory · f5sirt@f5.com