CVE-2025-55669: 
F5 BIG-IP Virtual Edition (tier - best) vulnerability analysis and mitigation

When the BIG-IP Advanced WAF and ASM security policy and a server-side HTTP/2 profile are configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. The vulnerability, identified as CVE-2025-55669, affects BIG-IP Application Security Manager (ASM) versions from 16.1.0 to 16.1.6 and 17.1.0 to 17.1.2 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and a CVSS v4.0 score of 8.7 (HIGH) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L. The vulnerability is associated with CWE-672 (Operation on a Resource after Expiration or Release) (NVD, GBHackers).

The vulnerability affects the availability of the system by allowing undisclosed traffic to cause the Traffic Management Microkernel (TMM) to terminate. This can result in service disruption for systems using BIG-IP Advanced WAF and ASM security policy with server-side HTTP/2 profile configurations (NVD).

F5 has released patches for affected versions of BIG-IP ASM. Organizations should update their BIG-IP software as soon as possible. The vulnerability affects versions 16.1.0-16.1.6 and 17.1.0-17.1.2. Software versions which have reached End of Technical Support (EoTS) are not evaluated (NVD).