CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2025-53474

F5 BIG-IP TMM: When Node.js Breaks the Kernel (CVE-2025-53474)

Amit Schendel
Amit Schendel
Senior Security Researcher

Feb 6, 2026·6 min read·24 visits

Executive Summary (TL;DR)

Critical buffer overflow in F5 BIG-IP's `ILX::call` command allows unauthenticated attackers to crash the TMM (DoS). Vulnerability stems from improper bounds checking in the iRules LX IPC mechanism. Discovered following the 2025 source code leak.

In the aftermath of the August 2025 F5 source code leak and the discovery of the 'BRICKSTORM' backdoor, security researchers uncovered a critical fragility in the bridge between F5's high-speed Traffic Management Microkernel (TMM) and its modern scripting engine, iRules LX. CVE-2025-53474 is a classic buffer overflow in the IPC mechanism handling `ILX::call` commands. By sending specific data through a virtual server configured with iRules LX, an unauthenticated attacker can overrun TMM's internal buffers, causing the microkernel to panic and terminate. In the world of BIG-IP, when TMM dies, everything dies.

The Hook: The Dangerous Bridge

F5 BIG-IP is the 800-pound gorilla of the internet infrastructure world. At its heart beats the TMM (Traffic Management Microkernel), a specialized, high-performance processing engine that handles packets directly from the NIC. TMM is written in C, optimized for speed, and famously intolerant of failure. If TMM crashes, the device reboots. Period.

For years, network engineers wrote logic in TCL (iRules). But TCL is old, and developers wanted modern tools. Enter iRules LX, a feature that allows TMM to offload complex logic to a sidecar Node.js process. It sounds great on paper: high-speed packet processing in the kernel, complex logic in JavaScript in user-space.

But bridges between highly optimized kernel-level code and high-level garbage-collected languages are notoriously difficult to secure. CVE-2025-53474 is what happens when that bridge collapses. It sits right in the ILX::call command—the specific instruction used to pass data from TMM to Node.js. It turns out, TMM wasn't skeptical enough about the size of the luggage it was asked to carry across the bridge.

The Flaw: A Classic Overflow in a Modern World

The root cause here is depressingly classic: CWE-120 (Buffer Copy without Checking Size of Input). In the year 2025, we are still dealing with unchecked memcpy-style operations in critical infrastructure.

When an iRule executes ILX::call, TMM has to serialize the arguments provided by the user (or traffic) and send them via an RPC channel to the ilxplugin (the Node.js process). To do this, TMM allocates a buffer in its own memory space to stage the data.

The vulnerability arises because the routine responsible for copying the iRule arguments into this staging buffer failed to strictly validate that the input length matched the allocated buffer size. In C/C++ terms, the code likely calculated a buffer size based on defaults or partial data, but then copied the full user-supplied payload into it. When that payload exceeds the boundary, it overwrites adjacent memory on the TMM stack or heap.

This is particularly spicy because of the context: The F5 source code leaked in August 2025. It is highly probable that threat actors (like the UNC5221 group behind BRICKSTORM) simply greped the IPC code for memory copy operations and worked backward to find one where the length check was missing.

The Code: Anatomy of a Crash

While the exact proprietary source code isn't public (legally), we can reconstruct the logic failure based on standard TMM architecture and the patch behavior.

The Vulnerable Logic (Conceptual):

// TMM receiving data from TCL interpreter to send to Node.js
void tmm_handle_ilx_call(char *user_data, int data_len) {
    // FLAW: Fixed size buffer allocated for IPC message
    char ipc_buffer[1024]; 
    
    // FLAW: No check if data_len > 1024 before copying
    // This overwrites the return address or critical structures
    memcpy(ipc_buffer, user_data, data_len);
    
    send_to_ilx_plugin(ipc_buffer);
}

In the patched versions (17.5.1.3, etc.), F5 introduced explicit bounds checking. The fix effectively wraps the copy operation in a sanitary check:

// The Fix
void tmm_handle_ilx_call(char *user_data, int data_len) {
    if (data_len > sizeof(ipc_buffer)) {
        log_error("ILX payload too large");
        return ERROR_TCL_EXCEPTION;
    }
    memcpy(ipc_buffer, user_data, data_len);
    // ...
}

The simplicity of the flaw contrasts sharply with the complexity of the impact. A single missing if statement in the microkernel brings down enterprise-grade hardware.

The Exploit: Crashing the Gatekeeper

Exploiting this does not require advanced ROP chains or heap grooming if your goal is Denial of Service. You simply need to feed the beast more than it can chew.

Prerequisites:

  1. Target BIG-IP must have a Virtual Server (VIP) listening.
  2. The VIP must have an iRule attached.
  3. The iRule must use ILX::call and pass attacker-controlled input (e.g., HTTP headers, URI, or payload) to it.

Attack Scenario: Imagine a Virtual Server configured to scan HTTP headers with a Node.js script:

# Vulnerable iRule Pattern
when HTTP_REQUEST {
    # Pass the User-Agent to Node.js for analysis
    set handle [ILX::init "my_plugin" "my_extension"]
    # The attacker controls [HTTP::header "User-Agent"]
    set result [ILX::call $handle "analyze_ua" [HTTP::header "User-Agent"]]
}

The Attack: The attacker sends a curl request with a massive, 10KB+ User-Agent string (or whatever length triggers the specific buffer overflow).

# The payload is just junk data, but A LOT of it
payload=$(python3 -c "print('A' * 5000)")
curl -H "User-Agent: $payload" https://target-bigip.com/

The Result: The TMM process attempts to copy the 5000 'A's into a smaller internal buffer. Memory corruption occurs. TMM detects the illegal state (or segfaults) and panics. The BIG-IP system instantly stops processing traffic and reboots. If the attacker loops this request, the device enters a permanent boot loop.

The Impact: Why 'Just DoS' is Dangerous

Security teams often dismiss DoS vulnerabilities as "annoying but not critical." In the context of a Load Balancer, that mindset is dangerous. The BIG-IP is the chokepoint for the entire network. If the LB goes down, the applications behind it—Exchange, SharePoint, custom web apps—are unreachable.

Furthermore, in High Availability (HA) pairs, a crash on the Active unit forces a failover to the Standby. If the attacker sprays the attack across the subnet or persists the attack traffic, they can crash the Standby unit immediately after it takes over, causing a "split-brain" scenario or a total site outage.

The Darker Possibility: While the public disclosure focuses on DoS, buffer overflows in C are theoretically upgradeable to Remote Code Execution (RCE). With the F5 source code now in the wild (thanks to the leak), sophisticated actors (looking at you, BRICKSTORM) can study the memory layout of TMM. They could potentially craft a payload that doesn't just crash TMM, but redirects execution flow to inject shellcode. That turns a nuisance into a full system compromise.

The Fix: Closing the Window

If you are running iRules LX, you are in the danger zone. The only true fix is to patch.

Immediate Remediation: Upgrade to the fixed versions:

  • 17.x: Upgrade to 17.5.1.3 or 17.1.3
  • 16.x: Upgrade to 16.1.6.1
  • 15.x: Upgrade to 15.1.10.8

Workaround (If you can't patch): Audit your iRules. If you find ILX::call, check if the data being passed is user-controlled. If it is, you can try to sanitize/truncate it in TCL before passing it to ILX, though this is risky as you'd be guessing the buffer size.

# Mitigation via Truncation (Band-aid)
set unsafe_input [HTTP::header "User-Agent"]
if { [string length $unsafe_input] > 256 } {
    # Drop or truncate
    reject
} else {
    ILX::call $handle "func" $unsafe_input
}

The safest workaround is to disable the affected iRules until the patch is applied.

Official Patches

F5F5 Security Advisory K44517780

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
0.11%
Top 70% most exploited

Affected Systems

F5 BIG-IP LTMF5 BIG-IP APMF5 BIG-IP ASM/Advanced WAFF5 BIG-IP AFM

Affected Versions Detail

Product
Affected Versions
Fixed Version
BIG-IP (All Modules)
F5
17.5.0 - 17.5.117.5.1.3
BIG-IP (All Modules)
F5
17.1.0 - 17.1.217.1.3
BIG-IP (All Modules)
F5
16.1.0 - 16.1.616.1.6.1
BIG-IP (All Modules)
F5
15.1.0 - 15.1.10.715.1.10.8
AttributeDetail
CWE IDCWE-120 (Buffer Copy without Checking Size of Input)
Attack VectorNetwork (CVSS: AV:N)
CVSS v3.17.5 (High)
ImpactDenial of Service (TMM Core Dump)
EPSS Score0.11% (Low probability, High impact)
ComponentiRules LX (ILX::call)

MITRE ATT&CK Mapping

T1498Network Denial of Service
Impact
T1190Exploit Public-Facing Application
Initial Access
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Known Exploits & Detection

HypotheticalExploitation involves sending oversized payloads to Virtual Servers configured with iRules LX.

Vulnerability Timeline

F5 Source Code Leaked / BRICKSTORM Detected
2025-08-01
CVE-2025-53474 Published in F5 QSN
2025-10-15
Patches released for BIG-IP 17.x, 16.x, 15.x
2025-10-15

References & Sources

  • [1]F5 Security Advisory K44517780
  • [2]ZeroPath Technical Analysis
  • [3]Resecurity Report on Source Code Leak

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•GHSA-VJC7-JRH9-9J86
10.0

Unauthenticated CRUD and Sensitive Data Exposure in 9Router API Endpoints

An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.

Amit Schendel
Amit Schendel
3 views•5 min read
•about 2 hours ago•CVE-2026-55790
7.4

CVE-2026-55790: DOM-Based Cross-Site Scripting in Craft CMS Support Widget

A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.

Alon Barad
Alon Barad
3 views•7 min read
•about 2 hours ago•CVE-2026-55793
5.9

CVE-2026-55793: Stored DOM-Based Cross-Site Scripting in Craft CMS ElementTableSorter

CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.

Alon Barad
Alon Barad
4 views•8 min read
•about 3 hours ago•CVE-2026-55794
8.7

CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS

Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 3 hours ago•GHSA-CGFV-JRFP-2R7V
8.5

GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export

An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.

Amit Schendel
Amit Schendel
4 views•5 min read
•about 4 hours ago•GHSA-QRWJ-VH9X-GW5V
8.0

GHSA-QRWJ-VH9X-GW5V: Cross-Agent Server-Side Request Forgery and Remote Code Execution in Coder Workspace Agent

An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.

Amit Schendel
Amit Schendel
5 views•5 min read