F5 has disclosed a high-severity F5 BIG-IP command injection vulnerability identified as CVE-2025-31644, affecting BIG-IP systems operating in Appliance mode. The flaw allows authenticated administrators to execute arbitrary system commands with root privileges.
Vulnerability Summary
The vulnerability stems from improper input handling in an undisclosed iControl REST API endpoint and the “save” command in TMOS Shell (tmsh). It is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command and has received:
- CVSS v3.1 score: 8.7 (High)
- CVSS v4.0 score: 8.5 (High)
Affected BIG-IP Versions
This vulnerability affects the following versions of BIG-IP:
- 17.1.0 to 17.1.2
- 16.1.0 to 16.1.5
- 15.1.0 to 15.1.10
Exploitation Method
The issue involves command injection through the “file” parameter in the tmsh save operation. By crafting input containing shell metacharacters, attackers can manipulate command structure and append arbitrary system instructions.
An example exploit might use syntax such as \}; bash -c id to end the legitimate command and run a secondary payload, confirming execution as the root user.
To exploit the flaw, attackers must:
- Possess valid administrator credentials
- Have access to the iControl REST API or tmsh shell
Control plane access is required. There is no exposure to the data plane.
Potential Impact
Successful exploitation allows attackers to:
- Execute arbitrary bash commands with root privileges
- Create or delete files via the management interface
- Access self IP configurations
- Bypass Appliance mode restrictions
Mitigation and Patch Guidance
F5 has issued security patches in the following versions:
- 17.1.2.2
- 16.1.6
- 15.1.10.7
Organizations should upgrade to a patched version immediately.
If patching is not immediately feasible, apply these temporary mitigations:
- Configure Port Lockdown on self IP addresses to “Allow None”
- Block iControl REST API access through the management interface
- Restrict SSH access to trusted IP ranges only
- Use packet filtering to limit exposure to specific sources
F5 also notes that since the attack requires admin-level credentials, access should be limited strictly to trusted users.
Conclusion
The F5 BIG-IP command injection vulnerability CVE-2025-31644 underscores the need to secure administrative interfaces and apply patches promptly. Organizations running affected BIG-IP versions should act without delay to reduce exposure.