CVE-2025-23412
Published: 05 February 2025
Summary
CVE-2025-23412 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 34.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the buffer overflow flaw (CWE-120) in BIG-IP TMM triggered by undisclosed requests to APM Access Profiles via patching or upgrades as per F5 advisory.
Protects against denial-of-service attacks like TMM termination by limiting the effects of resource exhaustion or crash-inducing requests on the virtual server.
Validates the size and structure of incoming requests to the APM Access Profile, preventing buffer copy without input size checks that cause TMM crashes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing F5 BIG-IP virtual server allows unauthenticated network request to crash TMM, directly enabling application/system exploitation for endpoint denial of service.
NVD Description
When BIG-IP APM Access Profile is configured on a virtual server, undisclosed request can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Deeper analysisAI
CVE-2025-23412 affects F5 BIG-IP systems configured with an Access Policy Manager (APM) Access Profile on a virtual server. The vulnerability allows an undisclosed request to cause the Traffic Management Microkernel (TMM) to terminate, resulting in a denial-of-service condition. It is classified under CWE-120 (Buffer Copy without Checking Size of Input) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated attacker with network access to the vulnerable virtual server can exploit this issue with low complexity and no user interaction required. Exploitation triggers TMM termination, which disrupts traffic processing and may require manual intervention to restore service on the affected BIG-IP instance.
F5 security advisory K000141003, available at https://my.f5.com/manage/s/article/K000141003, details affected versions and recommended mitigations or patches. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.
Details
- CWE(s)