{"id":3915,"date":"2025-05-13T10:02:06","date_gmt":"2025-05-13T10:02:06","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/05\/13\/f5-big-ip-command-injection-vulnerability-let-attackers-execute-arbitrary-system-commands\/"},"modified":"2025-05-13T10:02:06","modified_gmt":"2025-05-13T10:02:06","slug":"f5-big-ip-command-injection-vulnerability-let-attackers-execute-arbitrary-system-commands","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/05\/13\/f5-big-ip-command-injection-vulnerability-let-attackers-execute-arbitrary-system-commands\/","title":{"rendered":"F5 BIG-IP Command Injection Vulnerability Let Attackers Execute Arbitrary System Commands"},"content":{"rendered":"<p>    F5 BIG-IP Command Injection Vulnerability Let Attackers Execute Arbitrary System Commands<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>F5 Networks has disclosed a high-severity command injection vulnerability (CVE-2025-31644) in its <a href=\"https:\/\/cybersecuritynews.com\/f5-big-ip-snmp-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">BIG-IP products<\/a> running in Appliance mode.\u00a0<\/p>\n<p>The vulnerability exists in an undisclosed iControl REST endpoint and BIG-IP TMOS Shell (tmsh) command, allowing attackers to bypass Appliance mode security restrictions.\u00a0<\/p>\n<p>Classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), the flaw received a CVSS v3.1 score of 8.7 and a CVSS v4.0 score of 8.5, both rated as \u201cHigh\u201d severity.<\/p>\n<p>\u201cThis command injection vulnerability may allow an authenticated attacker to cross a security boundary and execute arbitrary Advanced Shell (bash) commands,\u201d F5 stated in its security advisory.\u00a0<\/p>\n<p>The vulnerability affects BIG-IP versions 17.1.0-17.1.2, 16.1.0-16.1.5, and 15.1.0-15.1.10.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Command Injection in F5 BIG-IP \u201csave\u201d Command<\/strong><\/h2>\n<p>Security researcher Matei \u201cMal\u201d Badanoiu of Deloitte discovered that the \u201cfile\u201d parameter of the \u201csave\u201d command is particularly vulnerable to command injection attacks.\u00a0<\/p>\n<p>When exploited, this vulnerability allows attackers to manipulate command syntax to execute unintended operations with elevated privileges.<\/p>\n<p>A proof-of-concept exploit released on <a href=\"https:\/\/cybersecuritynews.com\/powerful-nullpoint-stealer\/\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub<\/a> demonstrates how attackers can craft malicious commands using shell metacharacters to split legitimate operations and inject arbitrary commands:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcM9zmmoTdaBmfWaRZledDTmEgjq6TgVoca9VmBwTQkG_6DhkS1T8sF3TZB1CFKy_b75CnwMXY8FSIqM2RvpfC19RL5ZOhMrvgB--sxpX_NbTFAMrxSLB3wfmupEYpLyQ8h_GTD_A?key=80WMCsGc39QdlAKbRgkjlQ\" alt=\"\"><\/figure>\n<\/div>\n<p>This exploit terminates the save command prematurely with the }; sequence and then executes a system call via bash -c id to print the current user\u2019s ID-confirming execution as root.<\/p>\n<p>The vulnerability can only be exploited by attackers who have valid administrator credentials and network access to the affected iControl REST endpoint or local access to the affected tmsh command.<\/p>\n<p>While the attack surface is limited to authenticated users, the potential impact remains significant as it allows <a href=\"https:\/\/cybersecuritynews.com\/users-monitoring-best-practices\/\" target=\"_blank\" rel=\"noreferrer noopener\">privileged users<\/a> to execute commands beyond their intended authorization level.<\/p>\n<p>Successful exploitation allows attackers to:<\/p>\n<ul class=\"wp-block-list\">\n<li>Execute arbitrary system commands with root privileges.<\/li>\n<li>Create or delete files through the BIG-IP management port.<\/li>\n<li>Access self IP addresses.<\/li>\n<li>Bypass Appliance mode security restrictions.<\/li>\n<\/ul>\n<p>Security experts note that there is no data plane exposure, meaning the vulnerability is limited to the control plane only.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Risk Factors<\/strong><\/td>\n<td><strong>Details<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Affected Products<\/td>\n<td>BIG-IP versions:17.1.0-17.1.216.1.0-16.1.515.1.0-15.1.10<\/td>\n<\/tr>\n<tr>\n<td>Impact<\/td>\n<td>Execute arbitrary system commands as root<\/td>\n<\/tr>\n<tr>\n<td>Exploit Prerequisites<\/td>\n<td>\u2013 Valid administrator credentials- Access to iControl REST API or tmsh shell<\/td>\n<\/tr>\n<tr>\n<td>CVSS 3.1 Score<\/td>\n<td>8.7 (High)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\"><strong>Remediation<\/strong><\/h2>\n<p>F5 has <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000148591\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">released<\/a> patches for affected versions: 17.1.2.2, 16.1.6, and 15.1.10.7. Organizations are strongly advised to update to these patched versions immediately.<\/p>\n<p>For systems that cannot be immediately patched, F5 recommends implementing temporary mitigations:<\/p>\n<ul class=\"wp-block-list\">\n<li>Block iControl REST access through self IP addresses by changing Port Lockdown settings to \u201cAllow None\u201d.<\/li>\n<li>Block iControl REST access through the management interface.<\/li>\n<li>Restrict SSH access to trusted networks only.<\/li>\n<li>Use packet filtering to limit access to specific IP ranges.<\/li>\n<\/ul>\n<p>\u201cAs this attack is conducted by legitimate, authenticated administrator role users, there is no viable mitigation that also allows users access to the <a href=\"https:\/\/cybersecuritynews.com\/poc-exploit-released-for-f5-big-ip\/\" target=\"_blank\" rel=\"noreferrer noopener\">BIG-IP system<\/a>. The only mitigation is to remove access for users who are not completely trusted,\u201d F5 advised.<\/p>\n<p>Organizations using F5 BIG-IP should immediately assess their exposure and implement the necessary patches or mitigations to safeguard their environments against this critical vulnerability.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 93%,rgb(169,184,195) 100%)\"><strong>Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points \u2013 <a href=\"https:\/\/webinars.indusface.com\/15-minute-vulnerability-attack-simulation-insights-to-fortify-edge\/register?utm_source=gbhackers-blog-cta&amp;utm_campaign=2025-may-webinar-vulnerability&amp;utm_medium=referral\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Free Webinar<\/a><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/f5-big-ip-command-injection-vulnerability\/\">F5 BIG-IP Command Injection Vulnerability Let Attackers Execute Arbitrary System Commands<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/f5-big-ip-command-injection-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>F5 BIG-IP Command Injection Vulnerability Let Attackers Execute Arbitrary System Commands F5 Networks has disclosed a high-severity command injection vulnerability (CVE-2025-31644) in its BIG-IP products running in Appliance mode.\u00a0 The vulnerability exists in an undisclosed iControl REST endpoint and BIG-IP TMOS Shell (tmsh) command, allowing attackers to bypass Appliance mode security restrictions.\u00a0 Classified as CWE-78 [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131],"tags":[130],"class_list":["post-3915","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/3915"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=3915"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/3915\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=3915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=3915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=3915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}