CVE-2025-36525: 
F5 BIG-IP Virtual Edition (tier - best) vulnerability analysis and mitigation

When a BIG-IP APM virtual server is configured to use a PingAccess profile, undisclosed requests can cause TMM to terminate. The vulnerability, identified as CVE-2025-36525, was discovered and disclosed in May 2025, affecting F5 BIG-IP APM systems. Software versions which have reached End of Technical Support (EoTS) were not evaluated (NVD, CVE).

The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (HIGH) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L. Additionally, it received a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-120 (Buffer Copy without Checking Size of Input) (NVD).

The primary impact of this vulnerability is the potential termination of the TMM (Traffic Management Microkernel) process when specific undisclosed requests are received. This can result in service disruption for the affected BIG-IP APM virtual server (NVD).

F5 Networks has released security updates to address this vulnerability. Users are advised to update their systems to the latest supported version. Specific details about the patches can be found in the F5 security advisory (F5 Advisory).