CVE-2025-61960 is a vulnerability identified in F5 BIG-IP devices, specifically affecting versions 16.1.0, 17.1.0, and 17.5.0. The flaw is a NULL pointer dereference (CWE-476) occurring within the Traffic Management Microkernel (TMM) component when a per-request policy is configured on a BIG-IP Access Policy Manager (APM) portal access virtual server. This configuration triggers a condition where certain undisclosed traffic can cause the TMM process to dereference a NULL pointer, leading to its termination. The TMM is critical for handling traffic management and load balancing functions; its crash results in denial of service (DoS) for the affected BIG-IP device. The vulnerability does not require any authentication or user interaction, and the attack vector is network-based, making it remotely exploitable. Although no known exploits have been reported in the wild at the time of publication, the CVSS v3.1 base score of 7.5 reflects a high severity due to the potential for widespread service disruption. The vulnerability does not impact confidentiality or integrity but severely affects availability. The vendor has not yet published patches, and versions that have reached End of Technical Support (EoTS) are not evaluated, implying that unsupported versions remain vulnerable without vendor assistance. The vulnerability's root cause is a NULL pointer dereference, a common programming error that can be triggered by malformed or unexpected input traffic under specific configuration conditions.

For European organizations, the primary impact of CVE-2025-61960 is the potential for denial of service on critical network infrastructure components that rely on F5 BIG-IP devices, particularly those using the APM portal access virtual server with per-request policies. This can disrupt application delivery, remote access, and security enforcement functions, leading to operational downtime and potential business continuity issues. Sectors such as finance, telecommunications, government, and healthcare, which often deploy BIG-IP for secure access and load balancing, may experience significant service interruptions. The lack of authentication requirement and ease of remote exploitation increase the risk of targeted attacks or opportunistic scanning by threat actors. Additionally, unpatched devices in European data centers or cloud environments could be leveraged to cause cascading failures or to degrade service availability for end users. The impact on confidentiality and integrity is minimal; however, the availability impact is critical for organizations relying on uninterrupted access and traffic management.

1. Monitor F5's official advisories closely and apply security patches immediately once released for the affected BIG-IP versions. 2. Until patches are available, restrict network access to BIG-IP management and APM virtual servers using firewalls and access control lists to limit exposure to untrusted networks. 3. Disable or avoid configuring per-request policies on APM portal access virtual servers if not strictly necessary, as this configuration triggers the vulnerability. 4. Implement network segmentation to isolate BIG-IP devices from general user traffic and reduce attack surface. 5. Enable and review detailed logging and monitoring on BIG-IP devices to detect abnormal TMM crashes or unusual traffic patterns that could indicate exploitation attempts. 6. Conduct internal vulnerability scans and penetration tests to identify vulnerable BIG-IP instances. 7. Develop and test incident response plans to quickly recover from potential DoS conditions caused by TMM crashes. 8. Consider deploying redundant BIG-IP devices or failover mechanisms to maintain availability during potential outages.