F5 BIG-IP Bug Exposes Systems to Arbitrary Command Injection Attacks

-

 F5 Networks has disclosed a high-severity command injection vulnerability affecting its BIG-IP products running in Appliance mode, tracked as CVE-2025-31644. The flaw, discovered in an undisclosed iControl REST endpoint and the BIG-IP TMOS Shell (tmsh) command set, allows authenticated attackers to bypass Appliance mode restrictions and execute arbitrary system commands.  


Classified under CWE-78: Improper Neutralization of Special Elements in OS Commands, the vulnerability received a CVSS v3.1 score of 8.7 and CVSS v4.0 score of 8.5, both categorized as High severity.

According to F5’s security advisory, "This command injection vulnerability may allow an authenticated attacker to cross a security boundary and execute arbitrary Advanced Shell (bash) commands."

Affected Versions

The vulnerability impacts the following BIG-IP versions:

  • 17.1.0 – 17.1.2

  • 16.1.0 – 16.1.5

  • 15.1.0 – 15.1.10

Root Cause: Vulnerable “save” Command

The issue was uncovered by security researcher Matei “Mal” Badanoiu of Deloitte, who found that the “file” parameter of the save command is vulnerable to command injection. Attackers can manipulate this input using shell metacharacters to terminate legitimate operations and inject malicious commands.

A proof-of-concept exploit posted on GitHub shows how the injection can be carried out using the sequence \}; bash -c "id" to confirm code execution as the root user.


Exploitation Requirements

To exploit this vulnerability, attackers must:

  • Have valid administrator credentials

  • Have network access to the vulnerable iControl REST endpoint or local access to the tmsh command

While exploitation is limited to authenticated admin users, the impact is critical, as it allows them to escalate privileges and execute unauthorized system-level commands.

Potential Impact

Successful exploitation could allow attackers to:

  • Execute arbitrary commands as root

  • Create or delete system files

  • Access internal network interfaces (self IPs)

  • Bypass Appliance mode protections

Importantly, F5 notes that the data plane is not affected—the exposure is limited to the control plane.

Mitigation and Patching

F5 has released security patches in the following versions:

  • 17.1.2.2

  • 16.1.6

  • 15.1.10.7

Organizations should apply these updates immediately to mitigate risk.

Temporary Mitigation Options

For systems that can’t be patched right away, F5 recommends:

  • Blocking iControl REST access on self IPs (Port Lockdown → Allow None)

  • Blocking iControl REST on the management interface

  • Restricting SSH access to trusted IPs only

  • Using packet filtering to limit access

However, F5 warns:

“As this attack is conducted by legitimate, authenticated administrator role users, there is no viable mitigation that also allows users access to the BIG-IP system. The only mitigation is to remove access for users who are not completely trusted.”

Final Recommendations

Organizations using F5 BIG-IP systems should:

  • Assess exposure immediately

  • Patch affected systems

  • Restrict access to trusted admins

  • Monitor for unusual admin activity

Given the potential for privilege escalation and system compromise, prompt action is essential to reduce risk.

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more