A critical vulnerability, CVE-2025-31644, has been discovered in F5 BIG-IP systems running in Appliance mode. The flaw allows authenticated administrators to run arbitrary system commands, bypassing key security protections.
The issue was reported by security researcher Matei “Mal” Badanoiu from Deloitte, and F5 has now released patches to fix the problem.
The vulnerability stems from improper input handling in an internal iControl REST endpoint and the TMOS Shell (tmsh), which lets attackers execute bash commands if they have admin access.
Exploiting this flaw lets attackers create or delete files and run system commands through the BIG-IP management port or self IPs. While this affects the control plane, F5 confirmed there’s no impact on the data plane.
Who’s Affected and How Severe Is It?
This flaw affects BIG-IP systems in Appliance mode, including those licensed for it or running on vCMP guest instances. It carries a high severity score—8.7 under CVSS v3.1.
F5 tracked the issue under internal IDs 1778741, 1702565, and 15832011.
Other F5 products are not affected, including:
- BIG-IP Next
- BIG-IQ Centralized Management
- F5 Distributed Cloud
- F5OS
- NGINX
Recommended Mitigation Steps
F5 has released updates to fix the vulnerability in BIG-IP:
- 17.x branch: update to 17.1.2.2
- 16.x branch: update to 16.1.6
- 15.x branch: update to 15.1.10.7
Admins are strongly encouraged to upgrade as soon as possible.
If you can’t update right away, F5 recommends temporary workarounds:
- Limit admin access to trusted users only, since the attack requires authentication.
- Block iControl REST access from self IPs by setting Port Lockdown to “Allow None.”
- Restrict SSH access using similar network rules.
- Use firewalls or packet filters to limit access to the management interface.
F5 provides full guidance in support articles K46122561 and K693540491.
Note: Some of these steps may affect high availability (HA) setups, so review carefully before applying changes.
Leave A Comment