Feb 6, 2026·6 min read·24 visits
Critical buffer overflow in F5 BIG-IP's `ILX::call` command allows unauthenticated attackers to crash the TMM (DoS). Vulnerability stems from improper bounds checking in the iRules LX IPC mechanism. Discovered following the 2025 source code leak.
In the aftermath of the August 2025 F5 source code leak and the discovery of the 'BRICKSTORM' backdoor, security researchers uncovered a critical fragility in the bridge between F5's high-speed Traffic Management Microkernel (TMM) and its modern scripting engine, iRules LX. CVE-2025-53474 is a classic buffer overflow in the IPC mechanism handling `ILX::call` commands. By sending specific data through a virtual server configured with iRules LX, an unauthenticated attacker can overrun TMM's internal buffers, causing the microkernel to panic and terminate. In the world of BIG-IP, when TMM dies, everything dies.
F5 BIG-IP is the 800-pound gorilla of the internet infrastructure world. At its heart beats the TMM (Traffic Management Microkernel), a specialized, high-performance processing engine that handles packets directly from the NIC. TMM is written in C, optimized for speed, and famously intolerant of failure. If TMM crashes, the device reboots. Period.
For years, network engineers wrote logic in TCL (iRules). But TCL is old, and developers wanted modern tools. Enter iRules LX, a feature that allows TMM to offload complex logic to a sidecar Node.js process. It sounds great on paper: high-speed packet processing in the kernel, complex logic in JavaScript in user-space.
But bridges between highly optimized kernel-level code and high-level garbage-collected languages are notoriously difficult to secure. CVE-2025-53474 is what happens when that bridge collapses. It sits right in the ILX::call command—the specific instruction used to pass data from TMM to Node.js. It turns out, TMM wasn't skeptical enough about the size of the luggage it was asked to carry across the bridge.
The root cause here is depressingly classic: CWE-120 (Buffer Copy without Checking Size of Input). In the year 2025, we are still dealing with unchecked memcpy-style operations in critical infrastructure.
When an iRule executes ILX::call, TMM has to serialize the arguments provided by the user (or traffic) and send them via an RPC channel to the ilxplugin (the Node.js process). To do this, TMM allocates a buffer in its own memory space to stage the data.
The vulnerability arises because the routine responsible for copying the iRule arguments into this staging buffer failed to strictly validate that the input length matched the allocated buffer size. In C/C++ terms, the code likely calculated a buffer size based on defaults or partial data, but then copied the full user-supplied payload into it. When that payload exceeds the boundary, it overwrites adjacent memory on the TMM stack or heap.
This is particularly spicy because of the context: The F5 source code leaked in August 2025. It is highly probable that threat actors (like the UNC5221 group behind BRICKSTORM) simply greped the IPC code for memory copy operations and worked backward to find one where the length check was missing.
While the exact proprietary source code isn't public (legally), we can reconstruct the logic failure based on standard TMM architecture and the patch behavior.
The Vulnerable Logic (Conceptual):
// TMM receiving data from TCL interpreter to send to Node.js
void tmm_handle_ilx_call(char *user_data, int data_len) {
// FLAW: Fixed size buffer allocated for IPC message
char ipc_buffer[1024];
// FLAW: No check if data_len > 1024 before copying
// This overwrites the return address or critical structures
memcpy(ipc_buffer, user_data, data_len);
send_to_ilx_plugin(ipc_buffer);
}In the patched versions (17.5.1.3, etc.), F5 introduced explicit bounds checking. The fix effectively wraps the copy operation in a sanitary check:
// The Fix
void tmm_handle_ilx_call(char *user_data, int data_len) {
if (data_len > sizeof(ipc_buffer)) {
log_error("ILX payload too large");
return ERROR_TCL_EXCEPTION;
}
memcpy(ipc_buffer, user_data, data_len);
// ...
}The simplicity of the flaw contrasts sharply with the complexity of the impact. A single missing if statement in the microkernel brings down enterprise-grade hardware.
Exploiting this does not require advanced ROP chains or heap grooming if your goal is Denial of Service. You simply need to feed the beast more than it can chew.
Prerequisites:
ILX::call and pass attacker-controlled input (e.g., HTTP headers, URI, or payload) to it.Attack Scenario: Imagine a Virtual Server configured to scan HTTP headers with a Node.js script:
# Vulnerable iRule Pattern
when HTTP_REQUEST {
# Pass the User-Agent to Node.js for analysis
set handle [ILX::init "my_plugin" "my_extension"]
# The attacker controls [HTTP::header "User-Agent"]
set result [ILX::call $handle "analyze_ua" [HTTP::header "User-Agent"]]
}The Attack: The attacker sends a curl request with a massive, 10KB+ User-Agent string (or whatever length triggers the specific buffer overflow).
# The payload is just junk data, but A LOT of it
payload=$(python3 -c "print('A' * 5000)")
curl -H "User-Agent: $payload" https://target-bigip.com/The Result: The TMM process attempts to copy the 5000 'A's into a smaller internal buffer. Memory corruption occurs. TMM detects the illegal state (or segfaults) and panics. The BIG-IP system instantly stops processing traffic and reboots. If the attacker loops this request, the device enters a permanent boot loop.
Security teams often dismiss DoS vulnerabilities as "annoying but not critical." In the context of a Load Balancer, that mindset is dangerous. The BIG-IP is the chokepoint for the entire network. If the LB goes down, the applications behind it—Exchange, SharePoint, custom web apps—are unreachable.
Furthermore, in High Availability (HA) pairs, a crash on the Active unit forces a failover to the Standby. If the attacker sprays the attack across the subnet or persists the attack traffic, they can crash the Standby unit immediately after it takes over, causing a "split-brain" scenario or a total site outage.
The Darker Possibility: While the public disclosure focuses on DoS, buffer overflows in C are theoretically upgradeable to Remote Code Execution (RCE). With the F5 source code now in the wild (thanks to the leak), sophisticated actors (looking at you, BRICKSTORM) can study the memory layout of TMM. They could potentially craft a payload that doesn't just crash TMM, but redirects execution flow to inject shellcode. That turns a nuisance into a full system compromise.
If you are running iRules LX, you are in the danger zone. The only true fix is to patch.
Immediate Remediation: Upgrade to the fixed versions:
Workaround (If you can't patch):
Audit your iRules. If you find ILX::call, check if the data being passed is user-controlled. If it is, you can try to sanitize/truncate it in TCL before passing it to ILX, though this is risky as you'd be guessing the buffer size.
# Mitigation via Truncation (Band-aid)
set unsafe_input [HTTP::header "User-Agent"]
if { [string length $unsafe_input] > 256 } {
# Drop or truncate
reject
} else {
ILX::call $handle "func" $unsafe_input
}The safest workaround is to disable the affected iRules until the patch is applied.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
BIG-IP (All Modules) F5 | 17.5.0 - 17.5.1 | 17.5.1.3 |
BIG-IP (All Modules) F5 | 17.1.0 - 17.1.2 | 17.1.3 |
BIG-IP (All Modules) F5 | 16.1.0 - 16.1.6 | 16.1.6.1 |
BIG-IP (All Modules) F5 | 15.1.0 - 15.1.10.7 | 15.1.10.8 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-120 (Buffer Copy without Checking Size of Input) |
| Attack Vector | Network (CVSS: AV:N) |
| CVSS v3.1 | 7.5 (High) |
| Impact | Denial of Service (TMM Core Dump) |
| EPSS Score | 0.11% (Low probability, High impact) |
| Component | iRules LX (ILX::call) |
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.
A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.
CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.
Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.
An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.
An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.