F5 Networks has disclosed a high-severity command injection vulnerability (CVE-2025-31644) in its BIG-IP merchandise working in Equipment mode.
The vulnerability exists in an undisclosed iControl REST endpoint and BIG-IP TMOS Shell (tmsh) command, permitting attackers to bypass Equipment mode safety restrictions.
Labeled as CWE-78 (Improper Neutralization of Particular Parts utilized in an OS Command), the flaw acquired a CVSS v3.1 rating of 8.7 and a CVSS v4.0 rating of 8.5, each rated as “Excessive” severity.
“This command injection vulnerability could enable an authenticated attacker to cross a safety boundary and execute arbitrary Superior Shell (bash) instructions,” F5 acknowledged in its safety advisory.
The vulnerability impacts BIG-IP variations 17.1.0-17.1.2, 16.1.0-16.1.5, and 15.1.0-15.1.10.
Command Injection in F5 BIG-IP “save” Command
Safety researcher Matei “Mal” Badanoiu of Deloitte found that the “file” parameter of the “save” command is especially weak to command injection assaults.
When exploited, this vulnerability permits attackers to control command syntax to execute unintended operations with elevated privileges.
A proof-of-concept exploit launched on GitHub demonstrates how attackers can craft malicious instructions utilizing shell metacharacters to separate authentic operations and inject arbitrary instructions:
This exploit terminates the save command prematurely with the }; sequence after which executes a system name through bash -c id to print the present consumer’s ID-confirming execution as root.
The vulnerability can solely be exploited by attackers who’ve legitimate administrator credentials and community entry to the affected iControl REST endpoint or native entry to the affected tmsh command.
Whereas the assault floor is restricted to authenticated customers, the potential impression stays vital because it permits privileged customers to execute instructions past their supposed authorization stage.
Profitable exploitation permits attackers to:
Execute arbitrary system instructions with root privileges.
Create or delete recordsdata by means of the BIG-IP administration port.
Entry self IP addresses.
Bypass Equipment mode safety restrictions.
Safety specialists observe that there is no such thing as a information aircraft publicity, which means the vulnerability is restricted to the management aircraft solely.
Danger FactorsDetailsAffected ProductsBIG-IP variations:17.1.0-17.1.216.1.0-16.1.515.1.0-15.1.10ImpactExecute arbitrary system instructions as rootExploit Stipulations– Legitimate administrator credentials- Entry to iControl REST API or tmsh shellCVSS 3.1 Score8.7 (Excessive)
Remediation
F5 has launched patches for affected variations: 17.1.2.2, 16.1.6, and 15.1.10.7. Organizations are strongly suggested to replace to those patched variations instantly.
For techniques that can not be instantly patched, F5 recommends implementing non permanent mitigations:
Block iControl REST entry by means of self IP addresses by altering Port Lockdown settings to “Permit None”.
Block iControl REST entry by means of the administration interface.
Limit SSH entry to trusted networks solely.
Use packet filtering to restrict entry to particular IP ranges.
“As this assault is carried out by authentic, authenticated administrator function customers, there is no such thing as a viable mitigation that additionally permits customers entry to the BIG-IP system. The one mitigation is to take away entry for customers who aren’t utterly trusted,” F5 suggested.
Organizations utilizing F5 BIG-IP ought to instantly assess their publicity and implement the required patches or mitigations to safeguard their environments towards this crucial vulnerability.
Vulnerability Assault Simulation on How Hackers Quickly Probe Web sites for Entry Factors – Free Webinar
