PatchSiren cyber security CVE debrief

CVE-2016-9249 F5 CVE debrief

CVE-2016-9249 is a denial-of-service issue affecting F5 BIG-IP deployments with TCP Fast Open enabled on a virtual server. According to the official NVD description, an undisclosed traffic pattern can cause the Traffic Management Microkernel (TMM) to restart, interrupting traffic handling and availability. The CVE was published on 2017-01-31 and is rated HIGH in the supplied corpus.

Vendor: F5
Product: CVE-2016-9249
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-31
Original CVE updated: 2026-05-13
Advisory published: 2017-01-31
Advisory updated: 2026-05-13

Who should care

F5 BIG-IP administrators and network/security teams responsible for load balancers or security modules that may have TCP Fast Open enabled, especially on internet-facing or critical virtual servers. Environments running the affected BIG-IP module/version combinations listed by NVD should review exposure promptly.

Technical summary

NVD describes the flaw as a network-triggered DoS condition: when a BIG-IP Virtual Server has TCP Fast Open enabled, an undisclosed traffic pattern may restart TMM. The supplied NVD record maps the issue to CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-20. The vulnerable CPEs in the corpus include BIG-IP Local Traffic Manager, Application Acceleration Manager, Advanced Firewall Manager, Analytics, Access Policy Manager, Application Security Manager, Domain Name System, Link Controller, Policy Enforcement Manager, and WebSafe at versions 12.0.0, 12.1.0, and 12.1.1.

Defensive priority

High for affected BIG-IP systems that use TCP Fast Open, because the issue can restart a core traffic-processing component and directly impact service availability. Priority is lower for deployments that do not enable TCP Fast Open on virtual servers.

Recommended defensive actions

Inventory BIG-IP virtual servers and determine whether TCP Fast Open is enabled.
Check whether any deployed BIG-IP module/version matches the affected CPEs listed in the NVD record.
Review and apply F5 guidance in advisory K71282001 for mitigation or remediation steps.
Plan maintenance to update or reconfigure affected BIG-IP systems as recommended by F5.
Monitor for unexpected TMM restarts or availability interruptions on affected appliances.
If TCP Fast Open is not required in a given deployment, assess whether it can be disabled as part of remediation planning.

Evidence notes

Primary evidence comes from the official NVD record for CVE-2016-9249, which states that an undisclosed traffic pattern received by a BIG-IP Virtual Server with TCP Fast Open enabled may cause TMM to restart, resulting in DoS. The NVD metadata also lists CVSS v3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-20. The record references F5 vendor advisory K71282001 plus third-party advisory entries (BID 95825 and SecurityTracker 1037715). Published date used here is 2017-01-31 from the supplied corpus; the 2026 modified date is metadata, not the original disclosure date.

Official resources

CVE-2016-9249 CVE record
CVE.org
CVE-2016-9249 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed in the official CVE/NVD record on 2017-01-31; the supplied corpus also references the F5 vendor advisory K71282001 and third-party advisories. The 2026 modified timestamp reflects record maintenance, not original issue 날짜