F5 Networks has revealed a serious command injection vulnerability, tracked as CVE-2025-31644, impacting its BIG-IP products operating in Appliance mode. The flaw allows authenticated attackers to execute unauthorized system-level commands, potentially bypassing built-in security boundaries.
This high-severity issue, discovered by Matei “Mal” Badanoiu from Deloitte, affects a hidden iControl REST endpoint and the BIG-IP TMOS Shell (tmsh) save command. The vulnerability resides in the “file” parameter, making it a prime target for injection attacks when exploited with admin-level credentials and access.
Rated 8.7 (CVSS v3.1) and 8.5 (CVSS v4.0), the flaw is classified under CWE-78, indicating improper neutralization of OS command elements. Though limited to authenticated admin users, the exploit grants elevated privileges, letting attackers:
- Execute arbitrary shell commands as root
- Create or delete system files
- Bypass Appliance mode restrictions
- Access self IP addresses via the management port
Affected Versions:
- BIG-IP 17.1.0 – 17.1.2
- BIG-IP 16.1.0 – 16.1.5
- BIG-IP 15.1.0 – 15.1.10
Patches & Mitigation
F5 has issued security updates in versions 17.1.2.2, 16.1.6, and 15.1.10.7. Organizations are urged to upgrade immediately.
For systems where patching isn’t possible, F5 suggests temporary mitigations:
- Block iControl REST access via self IPs by setting Port Lockdown to “Allow None”
- Disable iControl REST on the management interface
- Restrict SSH access to trusted IPs
- Use packet filters to limit system access
F5 emphasized that since the attack is carried out by valid admin users, “the only effective mitigation is to revoke access from untrusted users.”
Organizations relying on BIG-IP systems should evaluate their exposure and act swiftly to patch or apply mitigations to protect against potential exploitation.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: Cybersecuritynews.com
