DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-53474: F5 BIG-IP TMM: When Node.js Breaks the Kernel (CVE-2025-53474)

#security #cve #cybersecurity

F5 BIG-IP TMM: When Node.js Breaks the Kernel (CVE-2025-53474)

Vulnerability ID: CVE-2025-53474
CVSS Score: 7.5
Published: 2025-10-15

In the aftermath of the August 2025 F5 source code leak and the discovery of the 'BRICKSTORM' backdoor, security researchers uncovered a critical fragility in the bridge between F5's high-speed Traffic Management Microkernel (TMM) and its modern scripting engine, iRules LX. CVE-2025-53474 is a classic buffer overflow in the IPC mechanism handling ILX::call commands. By sending specific data through a virtual server configured with iRules LX, an unauthenticated attacker can overrun TMM's internal buffers, causing the microkernel to panic and terminate. In the world of BIG-IP, when TMM dies, everything dies.

TL;DR

Critical buffer overflow in F5 BIG-IP's ILX::call command allows unauthenticated attackers to crash the TMM (DoS). Vulnerability stems from improper bounds checking in the iRules LX IPC mechanism. Discovered following the 2025 source code leak.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-120 (Buffer Copy without Checking Size of Input)
  • Attack Vector: Network (CVSS: AV:N)
  • CVSS v3.1: 7.5 (High)
  • Impact: Denial of Service (TMM Core Dump)
  • EPSS Score: 0.11% (Low probability, High impact)
  • Component: iRules LX (ILX::call)

Affected Systems

  • F5 BIG-IP LTM
  • F5 BIG-IP APM
  • F5 BIG-IP ASM/Advanced WAF
  • F5 BIG-IP AFM
  • BIG-IP (All Modules): 17.5.0 - 17.5.1 (Fixed in: 17.5.1.3)
  • BIG-IP (All Modules): 17.1.0 - 17.1.2 (Fixed in: 17.1.3)
  • BIG-IP (All Modules): 16.1.0 - 16.1.6 (Fixed in: 16.1.6.1)
  • BIG-IP (All Modules): 15.1.0 - 15.1.10.7 (Fixed in: 15.1.10.8)

Exploit Details

  • Hypothetical: Exploitation involves sending oversized payloads to Virtual Servers configured with iRules LX.

Mitigation Strategies

  • Software Update (Primary)
  • iRule Modification (Workaround)
  • Traffic Filtering (Compensatory)

Remediation Steps:

  1. Identify all Virtual Servers using iRules with the 'ILX::call' command.
  2. Schedule an emergency maintenance window.
  3. Install the patch version corresponding to your major release (e.g., 17.5.1.3).
  4. Verify system stability after reboot.

References

Read the full report for CVE-2025-53474 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)