CVE-2025-20045 in BIG-IP
Summary
by MITRE • 02/05/2025
When SIP session Application Level Gateway mode (ALG) profile with Passthru Mode enabled and SIP router ALG profile are configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/21/2025
This vulnerability exists within F5 Big-IP systems where specific SIP (Session Initiation Protocol) configuration combinations can lead to critical system termination. The issue manifests when a Message Routing type virtual server is configured with both an Application Level Gateway (ALG) profile set to Passthru Mode and a SIP router ALG profile. The vulnerability represents a denial of service condition that can be triggered by undisclosed traffic patterns, causing the Traffic Management Microkernel (TMM) to terminate unexpectedly. This configuration creates a scenario where the system's SIP processing logic fails to properly handle certain traffic flows, leading to system instability and potential service disruption.
The technical flaw stems from insufficient input validation and error handling within the TMM's SIP processing modules. When the system processes traffic that matches the specific ALG profile configuration, the underlying parsing and routing logic encounters conditions that are not properly accounted for in the software's error handling mechanisms. This results in a kernel-level termination event rather than graceful error recovery or traffic rejection. The vulnerability is particularly concerning because it operates at the microkernel level, meaning that the system's core traffic management functionality becomes unavailable. The exact nature of the undisclosed traffic patterns that trigger this behavior suggests that the vulnerability may be related to malformed SIP headers, unexpected message sequences, or specific combinations of SIP options that the system's parser does not adequately handle.
The operational impact of this vulnerability is severe as it can result in complete service disruption for SIP-based communications. Organizations relying on F5 Big-IP systems for voice and video traffic routing may experience immediate loss of communication services when the TMM terminates. The termination affects not just individual sessions but can potentially bring down the entire virtual server, impacting all traffic handled by that server. This vulnerability particularly affects enterprises with complex SIP infrastructure where ALG profiles are commonly deployed for NAT traversal and session management. The potential for automated exploitation exists since the trigger conditions may be predictable based on SIP protocol behavior patterns, making this a significant risk for organizations that have not yet patched their systems.
Organizations should immediately implement mitigation strategies including disabling the problematic ALG profile configurations until a patch is available, implementing network segmentation to limit exposure, and monitoring for unusual traffic patterns that might indicate exploitation attempts. The vulnerability aligns with CWE-248 Uncaught Exception and ATT&CK technique T1499.004 for endpoint denial of service, as it represents an unhandled system condition that leads to service termination. F5 has released security advisories and patches addressing this issue, and organizations should prioritize updating their systems to the latest supported versions. Additionally, implementing network-based intrusion detection systems that can identify suspicious SIP traffic patterns may provide early warning of potential exploitation attempts. The vulnerability highlights the importance of thorough testing of network infrastructure configurations, particularly those involving protocol handling and NAT traversal mechanisms, as seemingly benign configuration combinations can create critical system instability conditions.