CVE-2025-22846 in BIG-IPinfo

Summary

by MITRE • 02/05/2025

When SIP Session and Router ALG profiles are configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.



  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 09/10/2025

The vulnerability identified as CVE-2025-22846 represents a critical stability issue within F5 Networks BIG-IP systems that affects the Traffic Management Microkernel (TMM) component. This flaw manifests specifically when SIP Session and Router Application Layer Gateway (ALG) profiles are configured on Message Routing type virtual servers, creating a scenario where normal network traffic can trigger unexpected system termination. The vulnerability exposes a fundamental weakness in how the TMM processes certain traffic patterns that are typically considered benign or properly handled by the system's application layer inspection capabilities.

The technical root cause of this vulnerability lies in the improper handling of undisclosed or unexpected traffic patterns that flow through the SIP ALG processing pipeline. When the TMM encounters traffic that doesn't conform to expected SIP session behaviors or router protocol interactions, the system fails to properly validate or sanitize the incoming data before processing it through the ALG profile mechanisms. This lack of proper input validation leads to memory corruption or state management issues within the TMM kernel, ultimately causing the entire microkernel to terminate unexpectedly. The vulnerability is particularly concerning because it can be triggered by legitimate network traffic that simply doesn't match the expected patterns for which the ALG profiles were designed to handle.

The operational impact of this vulnerability extends beyond simple system availability concerns to potentially disrupt critical communication services that rely on SIP-based messaging infrastructure. Organizations using F5 BIG-IP systems with Message Routing virtual servers configured with SIP ALG profiles face the risk of unexpected service interruptions that could affect voice over IP communications, instant messaging services, or other SIP-based applications. The termination of the TMM process creates a cascading effect that can result in complete loss of traffic processing capabilities for the affected virtual server, requiring manual intervention to restore service. This vulnerability particularly affects environments where SIP traffic flows through application delivery controllers, making it a significant concern for enterprises with unified communications deployments.

Security professionals should note that this vulnerability aligns with CWE-248, which addresses "Uncaught Exception," and potentially relates to CWE-129, "Improper Validation of Array Index," as the system may be failing to properly validate traffic data before processing. From an ATT&CK framework perspective, this vulnerability could be leveraged in initial access or persistence phases, though its primary impact is in the execution and privilege escalation domains where system stability is compromised. The vulnerability demonstrates a classic example of how application layer gateway functionality can introduce unexpected system behavior when dealing with edge cases in traffic processing. Organizations should prioritize immediate mitigation through software updates from F5, as well as implementing network segmentation to limit exposure of affected systems while patches are deployed.

The broader implications of this vulnerability highlight the complexity of modern application delivery controllers that must handle increasingly sophisticated traffic inspection requirements. The interaction between SIP ALG profiles and Message Routing virtual servers creates a unique attack surface that can be exploited through seemingly normal traffic patterns. This vulnerability underscores the importance of comprehensive testing of application layer gateways under various traffic conditions and the need for robust error handling mechanisms within core system components. Organizations should also consider implementing monitoring solutions that can detect TMM termination events and provide early warning of potential exploitation attempts.

Reservation

01/22/2025

Disclosure

02/05/2025

Moderation

accepted

CPE

ready

EPSS

0.00393

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!