CVE-2025-60016: 
F5 BIG-IP Virtual Edition vulnerability analysis and mitigation

When Diffie-Hellman (DH) group Elliptic Curve Cryptography (ECC) Brainpool curves are configured in an SSL profile's Cipher Rule or Cipher Group, and that profile is applied to a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. This vulnerability (CVE-2025-60016) was disclosed on October 15, 2025, affecting F5's BIG-IP products including BIG-IP Next CNF and BIG-IP Next SPK (NVD).

The vulnerability has received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Additionally, under CVSS v4.0, it received a score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (NVD).

The primary impact of this vulnerability is on system availability. When exploited, it can cause the Traffic Management Microkernel (TMM) to terminate, potentially leading to service disruption. The vulnerability specifically affects systems where Brainpool curves are configured in SSL profiles (NVD).

F5 has released patches for affected versions through their October 2025 Quarterly Security Notification. Organizations are strongly urged to update their BIG-IP software as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued emergency directive (ED) 26-01 recommending immediate patching of affected systems (Tenable).