A high-severity command injection vulnerability affecting F5 BIG-IP systems when operating in Appliance mode. This mode is designed to restrict administrators from accessing the underlying operating system, enforcing stricter controls to limit potentially harmful configurations or code execution. However, due to a flaw in input handling within an undisclosed iControl REST and TMOS Shell (tmsh) command specifically involving the “save” functionality authenticated administrators can inject arbitrary shell commands. This undermines the Appliance mode boundary and enables full root-level command execution on the system. The vulnerability has been assigned a CVSS score of approximately 8.7, indicating its critical potential impact in real-world environments.

‍

Technical Description

CVE-2025-31644 is a command injection flaw that arises when BIG-IP is in Appliance mode. The bug lies in the handling of the save command (used to write configuration files) via both the iControl REST API and the TMOS Shell (tmsh) CLI. In appliance mode, BIG-IP normally restricts shell commands, but this vulnerability allows an authenticated administrator to bypass those restrictions. Specifically, the file parameter of the save command is not safely sanitized and is passed directly to underlying scripts or system calls. An attacker with valid admin credentials can supply shell metacharacters (such as backticks or semicolons) in the file value to terminate the intended operation and execute an arbitrary bash command. For example, a proof-of-concept exploit shows using a sequence like }; bash -c id to end the save operation and invoke a new shell command, yielding a root shell on the device. In short, the unsanitized input to the save command permits injection of advanced shell commands, enabling full code execution on the BIG-IP system (as root) despite Appliance mode protections

‍

Exploitation Scenario and Requirements:

Exploitation requires authenticated administrator-level access to the BIG-IP management interfaces. An attacker must either log in to tmsh (via SSH) or send a crafted request to the iControl REST API under an admin account. No additional user interaction is needed beyond sending the malicious command payload. In other words, possession of valid administrator credentials (or compromise of an admin account) and network access to the management plane are prerequisites. Once those are met, the attacker can invoke the save command through /mgmt REST calls or via tmsh and inject arbitrary bash commands. This flaw effectively crosses the security boundary of appliance mode – which normally forbids shell access and hands the attacker a root shell

‍

Exploitation Context and Threats

As of this report’s writing, there are no confirmed in-the-wild attacks publicly disclosed for CVE-2025-31644. The vulnerability was announced in early May 2025, and a public proof-of-concept exploit code became available shortly thereafter (mid-May). While there is no current evidence of active campaigns targeting this flaw, its high severity (CVSS 8.5/8.7) and the availability of exploit code mean attackers are likely to try. In particular, threat actors may use this bug to bypass BIG-IP’s appliance-mode lockdown and gain “remote code execution as root”. Organizations should assume interest from adversaries given the potential for full system takeover. Unlike data-plane bugs, this is strictly a control-plane compromise it does not directly affect traffic handling, but it gives attackers carte blanche on the management host. In the hands of an attacker, it could enable persistence or lateral movement in sensitive environments

‍

Impact

A successful exploit of CVE-2025-31644 yields full system compromise. Because it provides root-level command execution, an attacker can do anything on the device. Possible impacts include gaining complete control of the BIG-IP management system; executing malicious code or installing backdoors in the OS; reading or modifying configuration files; disabling security controls; and laterally moving through the network. Critically, Appliance mode is designed to prevent exactly these actions from an admin user, so the flaw bypasses those intended restrictions. For example, documented exploits show that attackers can execute arbitrary bash commands, create or delete arbitrary files via the management port, and access the BIG-IP’s internal (self) IP addresses – actions that normally should be blocked. In practice, this means an attacker could maintain persistence on the device, exfiltrate sensitive data, or launch further attacks on the network from the compromised BIG-IP

IOC and Context Details

‍

Recommended Actions

• Apply F5 patches immediately. Upgrade BIG-IP systems out of the affected firmware versions. Install the fixes provided in F5’s advisory K000148591 (e.g. moving to 15.1.10.7 or later, 16.1.6 or later, 17.1.2.2 or later). Because BIG-IP only evaluates non-EoTS releases, ensure you are on a supported version before patching.
• Limit administrative access. Restrict network access to the BIG-IP management interface. Only allow trusted IP addresses (e.g. jump servers or VPN) to connect to tmsh or the iControl REST API. Disable or remove unneeded administrator accounts and enforce strong authentication (including multi-factor) for any remaining admin users. This vulnerability requires admin credentials, so reducing the admin attack surface is critical.
• Harden Appliance Mode usage. Review whether Appliance mode is needed or if a different access model can be used. If keeping Appliance mode, ensure it is correctly configured to log administrative actions. Also verify that only users in the “admin” role (not just “resource admin” or “guest”) can execute tms commands like save.

‍

References

https://my.f5.com/manage/s/article/K000148591?utm_source=f5support&utm_medium=RSS

‍