F5 Flaw Lets Admins Run Rogue Commands as Root

F5 Networks has disclosed a high-severity command injection vulnerability affecting its BIG-IP products operating in Appliance mode. Tracked as CVE-2025-31644, the flaw resides in an undisclosed iControl REST endpoint and a TMOS Shell (tmsh) command, allowing authenticated attackers to execute arbitrary system commands by bypassing security restrictions. The vulnerability is rated 8.7 on the CVSS v3.1 scale and 8.5 on CVSS v4.0, both classified as “High.”

The flaw, identified in the “file” parameter of the “save” command, can be exploited using shell metacharacters to inject commands executed with root privileges. A proof-of-concept exploit has been published, demonstrating the risk to systems running BIG-IP versions 17.1.0–17.1.2, 16.1.0–16.1.5, and 15.1.0–15.1.10.

F5 has released patches and advises customers to upgrade immediately. Temporary mitigations include restricting access to the iControl REST interface and SSH services. No data plane exposure has been reported.