CVE-2025-35995 in BIG-IP PEM
Summary
by MITRE • 05/08/2025
When a BIG-IP PEM system is licensed with URL categorization, and the URL categorization policy or an iRule with the urlcat command is enabled on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/18/2025
The vulnerability described in CVE-2025-35995 represents a critical stability issue within F5 BIG-IP PEM systems that utilize URL categorization functionality. This flaw manifests when specific network traffic patterns interact with the Traffic Management Microkernel (TMM) component, leading to unexpected system termination. The vulnerability specifically affects systems where URL categorization policies are active and configured on virtual servers, creating a scenario where certain undisclosed request types can trigger a complete system crash. The TMM, which serves as the core traffic management engine in F5 BIG-IP systems, becomes unstable when processing these particular requests, resulting in service disruption and potential denial of service conditions that can impact business continuity.
The technical nature of this vulnerability stems from improper handling of URL categorization commands within the TMM processing pipeline. When an iRule containing the urlcat command is executed on a virtual server with active URL categorization policies, the system fails to properly validate or process certain request patterns, leading to memory corruption or resource exhaustion that ultimately causes the TMM process to terminate. This behavior aligns with CWE-248, which addresses "Uncaught Exception" conditions in software systems, and represents a classic case of inadequate error handling in network processing components. The vulnerability demonstrates how seemingly benign URL categorization functionality can become a vector for system instability when combined with specific iRule configurations, creating a complex interaction that bypasses normal system error recovery mechanisms.
The operational impact of this vulnerability extends beyond simple service disruption to encompass potential security implications for organizations relying on F5 BIG-IP systems for network traffic management and security enforcement. When the TMM terminates unexpectedly, it can result in complete network service outages that affect critical business applications and user access to web resources. The vulnerability's trigger conditions are particularly concerning because they involve undisclosed request patterns that make proactive detection and prevention challenging. Organizations utilizing URL categorization for web filtering, content control, or security policy enforcement face significant risk as malicious actors could potentially exploit this vulnerability to create denial of service conditions against their network infrastructure. This aligns with ATT&CK technique T1499.004, which covers "Domain Generation Algorithm" and similar techniques that can be used to create service disruption through system instability.
Mitigation strategies for this vulnerability should focus on immediate system hardening measures while implementing long-term architectural solutions. Organizations must first ensure their F5 BIG-IP systems are running supported software versions that include the relevant security patches, as the vulnerability specifically excludes systems past their End of Technical Support phase. Network administrators should consider implementing additional monitoring and alerting mechanisms around TMM process stability, as well as reviewing and restricting the use of iRules containing urlcat commands where possible. The implementation of proper input validation and request filtering at the perimeter can help reduce the likelihood of triggering the vulnerability, while maintaining the core URL categorization functionality. Additionally, organizations should establish incident response procedures specifically addressing TMM termination events, as the vulnerability's behavior could be mistaken for other system failures or security incidents, potentially delaying appropriate response actions.