Analysis Summary

A high-severity vulnerability, CVE-2025-31644, has been discovered in F5 BIG-IP systems operating in Appliance mode, potentially allowing authenticated administrative users to execute arbitrary bash commands and gain root-level access. The flaw, responsibly disclosed by researcher, affects the iControl REST API and the TMSH (Traffic Management Shell) CLI interface.

The vulnerability, lies in the file parameter of the save command, which is used to store configuration files. This parameter is insecurely passed to underlying Perl scripts or system commands, making it susceptible to command injection using shell metacharacters like backticks. While the save command is broadly available, only administrator-level users can specify custom file paths narrowing the scope but not the severity.

The flaw enables a successful exploit to bypass Appliance mode restrictions, which are meant to separate control and data planes by denying bash shell access to administrators. Despite Appliance mode's intention to isolate sensitive operations, this vulnerability undermines security boundaries, allowing remote code execution as root.

This is not a data plane flaw but a control plane compromise, which could allow attackers to alter system configurations, establish persistence, or move laterally within a network.

CVE-2025-31644 can be exploited through:

• The /mgmt API
• The TMSH CLI over SSH

Organizations using BIG-IP in Appliance mode are strongly advised to apply vendor patches immediately to prevent exploitation.

Impact

• Command Execution
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2025-31644

Affected Vendors

Remediation

• Refer to F5 Security Advisory for patch, upgrade, or suggested workaround information.
• Restrict access to the iControl REST API and TMSH CLI to trusted administrative users only.
• Implement strict role-based access controls (RBAC) to limit administrator privileges.
• Monitor and audit administrative activities regularly for unusual behavior.
• Disable unnecessary services and interfaces exposed to the internet.
• Use firewall rules to restrict management access to trusted IP ranges.
• Enforce strong authentication methods, including MFA, for administrative access.
• Regularly review and update configuration files and system settings.
• Deploy intrusion detection systems (IDS) to detect command injection attempts.
• Conduct frequent vulnerability assessments and penetration testing of BIG-IP deployments.