F5 BIG-IP Command Injection Vulnerability Let Attackers Execute Arbitrary System Commands
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
F5 Networks has disclosed a high-severity command injection vulnerability (CVE-2025-31644) in its BIG-IP products running in Appliance mode.
The vulnerability exists in an undisclosed iControl REST endpoint and BIG-IP TMOS Shell (tmsh) command, allowing attackers to bypass Appliance mode security restrictions.
Classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), the flaw received a CVSS v3.1 score of 8.7 and a CVSS v4.0 score of 8.5, both rated as “High” severity.
“This command injection vulnerability may allow an authenticated attacker to cross a security boundary and execute arbitrary Advanced Shell (bash) commands,” F5 stated in its security advisory.
The vulnerability affects BIG-IP versions 17.1.0-17.1.2, 16.1.0-16.1.5, and 15.1.0-15.1.10.
Command Injection in F5 BIG-IP “save” Command
Security researcher Matei “Mal” Badanoiu of Deloitte discovered that the “file” parameter of the “save” command is particularly vulnerable to command injection attacks.
When exploited, this vulnerability allows attackers to manipulate command syntax to execute unintended operations with elevated privileges.
A proof-of-concept exploit released on GitHub demonstrates how attackers can craft malicious commands using shell metacharacters to split legitimate operations and inject arbitrary commands:
This exploit terminates the save command prematurely with the \}; sequence and then executes a system call via bash -c id to print the current user’s ID-confirming execution as root.
The vulnerability can only be exploited by attackers who have valid administrator credentials and network access to the affected iControl REST endpoint or local access to the affected tmsh command.
While the attack surface is limited to authenticated users, the potential impact remains significant as it allows privileged users to execute commands beyond their intended authorization level.
Successful exploitation allows attackers to:
Security experts note that there is no data plane exposure, meaning the vulnerability is limited to the control plane only.
Risk Factors Details Affected ProductsBIG-IP versions:17.1.0-17.1.216.1.0-16.1.515.1.0-15.1.10ImpactExecute arbitrary system commands as rootExploit Prerequisites– Valid administrator credentials- Access to iControl REST API or tmsh shellCVSS 3.1 Score8.7 (High)
Remediation
F5 has released patches for affected versions: 17.1.2.2, 16.1.6, and 15.1.10.7. Organizations are strongly advised to update to these patched versions immediately.
For systems that cannot be immediately patched, F5 recommends implementing temporary mitigations:
“As this attack is conducted by legitimate, authenticated administrator role users, there is no viable mitigation that also allows users access to the BIG-IP system. The only mitigation is to remove access for users who are not completely trusted,” F5 advised.
Organizations using F5 BIG-IP should immediately assess their exposure and implement the necessary patches or mitigations to safeguard their environments against this critical vulnerability.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
F5 BIG-IP Command Injection Vulnerability Let Attackers Execute Arbitrary System Commands
Author: Guru BaranF5 Networks has disclosed a high-severity command injection vulnerability (CVE-2025-31644) in its BIG-IP products running in Appliance mode.
The vulnerability exists in an undisclosed iControl REST endpoint and BIG-IP TMOS Shell (tmsh) command, allowing attackers to bypass Appliance mode security restrictions.
Classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), the flaw received a CVSS v3.1 score of 8.7 and a CVSS v4.0 score of 8.5, both rated as “High” severity.
“This command injection vulnerability may allow an authenticated attacker to cross a security boundary and execute arbitrary Advanced Shell (bash) commands,” F5 stated in its security advisory.
The vulnerability affects BIG-IP versions 17.1.0-17.1.2, 16.1.0-16.1.5, and 15.1.0-15.1.10.
Command Injection in F5 BIG-IP “save” Command
Security researcher Matei “Mal” Badanoiu of Deloitte discovered that the “file” parameter of the “save” command is particularly vulnerable to command injection attacks.
When exploited, this vulnerability allows attackers to manipulate command syntax to execute unintended operations with elevated privileges.
A proof-of-concept exploit released on GitHub demonstrates how attackers can craft malicious commands using shell metacharacters to split legitimate operations and inject arbitrary commands:
This exploit terminates the save command prematurely with the \}; sequence and then executes a system call via bash -c id to print the current user’s ID-confirming execution as root.
The vulnerability can only be exploited by attackers who have valid administrator credentials and network access to the affected iControl REST endpoint or local access to the affected tmsh command.
While the attack surface is limited to authenticated users, the potential impact remains significant as it allows privileged users to execute commands beyond their intended authorization level.
Successful exploitation allows attackers to:
- Execute arbitrary system commands with root privileges.
- Create or delete files through the BIG-IP management port.
- Access self IP addresses.
- Bypass Appliance mode security restrictions.
Security experts note that there is no data plane exposure, meaning the vulnerability is limited to the control plane only.
Risk Factors Details Affected ProductsBIG-IP versions:17.1.0-17.1.216.1.0-16.1.515.1.0-15.1.10ImpactExecute arbitrary system commands as rootExploit Prerequisites– Valid administrator credentials- Access to iControl REST API or tmsh shellCVSS 3.1 Score8.7 (High)
Remediation
F5 has released patches for affected versions: 17.1.2.2, 16.1.6, and 15.1.10.7. Organizations are strongly advised to update to these patched versions immediately.
For systems that cannot be immediately patched, F5 recommends implementing temporary mitigations:
- Block iControl REST access through self IP addresses by changing Port Lockdown settings to “Allow None”.
- Block iControl REST access through the management interface.
- Restrict SSH access to trusted networks only.
- Use packet filtering to limit access to specific IP ranges.
“As this attack is conducted by legitimate, authenticated administrator role users, there is no viable mitigation that also allows users access to the BIG-IP system. The only mitigation is to remove access for users who are not completely trusted,” F5 advised.
Organizations using F5 BIG-IP should immediately assess their exposure and implement the necessary patches or mitigations to safeguard their environments against this critical vulnerability.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
