High

TMM Crash via Brainpool ECC Cipher in F5 BIG-IP

IdentifiersCVE-2025-60016CWE-248

CVE-2025-60016 is a vulnerability in F5 BIG-IP where configuring Diffie-Hellman (DH) group Elliptic Curve Cryptography (ECC) Brainpool curves in an SSL profile's Cipher Rule or Cipher Group, and applying that profile to a virtual server, allows undisclosed traffic to trigger a termination of the Traffic Management Microkernel (TMM). This results in a denial of service condition for affected BIG-IP devices. The vulnerability is present in supported software versions; versions past End of Technical Support (EoTS) were not evaluated.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation of this vulnerability allows a remote attacker to cause the TMM process to terminate, resulting in a denial of service for the affected BIG-IP device. This can disrupt critical network services, especially given the common internet-facing deployment of BIG-IP devices. The risk is heightened by the recent breach of F5's internal systems, which may have exposed details of this and other vulnerabilities to sophisticated threat actors, increasing the likelihood of targeted attacks.

Mitigation

If you can’t patch tonight, do this now.

Until patches can be applied, organizations should restrict access to management interfaces, limit exposure of BIG-IP devices to trusted networks, and consider disabling the use of Brainpool ECC curves in SSL profiles if not operationally required. Monitor for anomalous TMM process terminations and proactively hunt for suspicious activity as recommended by CISA and F5 advisories.

Remediation

Patch, then assume compromise.

F5 has released security updates and advisories addressing this vulnerability. Organizations should immediately apply the relevant patches to all affected BIG-IP devices. Ensure that all software is updated to a version that includes the fix for CVE-2025-60016. Refer to F5's official advisories for specific patch information and upgrade instructions.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

F5Big-Ip Next Cloud-Native Network Functionsapplication

F5Big-Ip Next Service Proxy For Kubernetesapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

fortinet threat signalNews

Oct 17, 2025

F5 Data Breach Attack

A vulnerability in F5 BIG-IP products, details undisclosed, but considered critical due to the exposure of source code and risk of exploit acceleration.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-60016

NVD

nvd.nist.gov/vuln/detail/CVE-2025-60016

MITRE CWE · CWE-248

cwe.mitre.org

Vendor Advisory

my.f5.com/manage/s/article/K000139514