CVE-2024-28889 in BIG-IP
Summary
by MITRE • 05/08/2024
When an SSL profile with alert timeout is configured with a non-default value on a virtual server, undisclosed traffic along with conditions beyond the attacker's control can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/21/2025
The vulnerability described in CVE-2024-28889 represents a critical stability issue within F5 BIG-IP systems that affects the Traffic Management Microkernel (TMM) component. This flaw manifests when SSL profiles are configured with custom alert timeout values on virtual servers, creating a condition where specific traffic patterns can trigger unexpected system termination. The vulnerability operates at the core networking layer where SSL/TLS processing occurs, making it particularly dangerous as it can disrupt critical network services and potentially provide attackers with a means to cause denial of service against targeted systems.
The technical mechanism behind this vulnerability involves the interaction between SSL profile configurations and the TMM's handling of alert timeouts during secure communication processing. When a non-default alert timeout value is specified in an SSL profile, the TMM's state management logic can encounter edge cases where it fails to properly handle certain traffic conditions. These conditions may include specific timing sequences, malformed SSL handshakes, or particular combinations of SSL protocol versions and cipher suites that cause the microkernel to enter an inconsistent state. The exact traffic patterns that trigger this behavior remain undisclosed, which complicates both detection and remediation efforts. According to CWE classification, this vulnerability aligns with CWE-682 Incorrect Calculation, as it involves miscalculations in timeout handling logic that leads to system instability.
The operational impact of this vulnerability extends beyond simple service disruption, as it can potentially be exploited to cause cascading failures in network infrastructure. When the TMM terminates unexpectedly, it affects all virtual servers and SSL offloading functions managed by that microkernel instance, potentially leading to widespread service outages across applications relying on F5 BIG-IP for SSL termination. This type of vulnerability directly impacts the availability aspect of the CIA triad and can be particularly damaging in high-availability environments where system stability is paramount. The fact that the issue occurs with "conditions beyond the attacker's control" suggests that it may be triggered by legitimate traffic patterns, making it difficult to distinguish between normal operation and exploitation attempts.
Organizations affected by this vulnerability should prioritize immediate remediation through official F5 security patches and updates, as the End of Technical Support status for affected versions indicates that no further security updates will be provided. System administrators should implement monitoring for unusual TMM termination events and consider implementing network segmentation to limit the impact of potential exploitation. The vulnerability's classification under ATT&CK technique T1499.004 (Endpoint Denial of Service) highlights its potential for causing system-level disruption that can be leveraged as part of broader attack campaigns. Additionally, organizations should conduct thorough testing of SSL profile configurations to identify and modify any non-default timeout values that might contribute to the vulnerability's exploitation, while also ensuring that their incident response procedures include specific protocols for handling TMM termination events.