![[The AI Show Episode 147]: OpenAI Abandons For-Profit Plan, AI College Cheating Epidemic, Apple Says AI Will Replace Search Engines & HubSpot’s AI-First Scorecard](https://www.marketingaiinstitute.com/hubfs/ep%20147%20cover.png)
![Ditching a Microsoft Job to Enter Startup Purgatory with Lonewolf Engineer Sam Crombie [Podcast #171]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746753508177/0cd57f66-fdb0-4972-b285-1443a7db39fc.png?#)
.jpeg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_ElenaBs_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Apple Working on Brain-Controlled iPhone With Synchron [Report]](https://www.iclarified.com/images/news/97312/97312/97312-640.jpg)
![Apple Unveils Powerful New Accessibility Features for iOS 19 and macOS 16 [Video]](https://www.iclarified.com/images/news/97311/97311/97311-640.jpg)
F5 BIG-IP Command Injection Vulnerability Let Attackers Execute Arbitrary System Commands
F5 Networks has disclosed a high-severity command injection vulnerability (CVE-2025-31644) in its BIG-IP products running in Appliance mode. The vulnerability exists in an undisclosed iControl REST endpoint and BIG-IP TMOS Shell (tmsh) command, allowing attackers to bypass Appliance mode security restrictions. Classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), the […] The post F5 BIG-IP Command Injection Vulnerability Let Attackers Execute Arbitrary System Commands appeared first on Cyber Security News.
F5 Networks has disclosed a high-severity command injection vulnerability (CVE-2025-31644) in its BIG-IP products running in Appliance mode.
The vulnerability exists in an undisclosed iControl REST endpoint and BIG-IP TMOS Shell (tmsh) command, allowing attackers to bypass Appliance mode security restrictions.
Classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), the flaw received a CVSS v3.1 score of 8.7 and a CVSS v4.0 score of 8.5, both rated as “High” severity.
“This command injection vulnerability may allow an authenticated attacker to cross a security boundary and execute arbitrary Advanced Shell (bash) commands,” F5 stated in its security advisory.
The vulnerability affects BIG-IP versions 17.1.0-17.1.2, 16.1.0-16.1.5, and 15.1.0-15.1.10.
Command Injection in F5 BIG-IP “save” Command
Security researcher Matei “Mal” Badanoiu of Deloitte discovered that the “file” parameter of the “save” command is particularly vulnerable to command injection attacks.
When exploited, this vulnerability allows attackers to manipulate command syntax to execute unintended operations with elevated privileges.
A proof-of-concept exploit released on GitHub demonstrates how attackers can craft malicious commands using shell metacharacters to split legitimate operations and inject arbitrary commands:
This exploit terminates the save command prematurely with the \}; sequence and then executes a system call via bash -c id to print the current user’s ID-confirming execution as root.
The vulnerability can only be exploited by attackers who have valid administrator credentials and network access to the affected iControl REST endpoint or local access to the affected tmsh command.
While the attack surface is limited to authenticated users, the potential impact remains significant as it allows privileged users to execute commands beyond their intended authorization level.
Successful exploitation allows attackers to:
- Execute arbitrary system commands with root privileges.
- Create or delete files through the BIG-IP management port.
- Access self IP addresses.
- Bypass Appliance mode security restrictions.
Security experts note that there is no data plane exposure, meaning the vulnerability is limited to the control plane only.
Risk Factors Details Affected Products BIG-IP versions:17.1.0-17.1.216.1.0-16.1.515.1.0-15.1.10 Impact Execute arbitrary system commands as root Exploit Prerequisites – Valid administrator credentials- Access to iControl REST API or tmsh shell CVSS 3.1 Score 8.7 (High)
Remediation
F5 has released patches for affected versions: 17.1.2.2, 16.1.6, and 15.1.10.7. Organizations are strongly advised to update to these patched versions immediately.
For systems that cannot be immediately patched, F5 recommends implementing temporary mitigations:
- Block iControl REST access through self IP addresses by changing Port Lockdown settings to “Allow None”.
- Block iControl REST access through the management interface.
- Restrict SSH access to trusted networks only.
- Use packet filtering to limit access to specific IP ranges.
“As this attack is conducted by legitimate, authenticated administrator role users, there is no viable mitigation that also allows users access to the BIG-IP system. The only mitigation is to remove access for users who are not completely trusted,” F5 advised.
Organizations using F5 BIG-IP should immediately assess their exposure and implement the necessary patches or mitigations to safeguard their environments against this critical vulnerability.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
The post F5 BIG-IP Command Injection Vulnerability Let Attackers Execute Arbitrary System Commands appeared first on Cyber Security News.
