Command Injection Vulnerability in F5 Networks BIG-IP Product
CVE-2025-20029

8.7HIGH

Key Information:

Vendor: F5
Status: Big-ip
Vendor: CVE Published:; 5 February 2025

Summary

A command injection vulnerability has been identified in F5 Networks' BIG-IP product that affects its iControl REST interface and the TMOS Shell (tmsh) save command. This flaw could enable an authenticated attacker to exploit the system, allowing for arbitrary command execution on the affected devices. Proper security measures should be implemented to mitigate the risks associated with this vulnerability.

Affected Version(s)

BIG-IP 17.1.0 < 17.1.2.1

BIG-IP 16.1.0 < 16.1.5.2

BIG-IP 15.1.0 < 15.1.10.6

References

https://my.f5.com/manage/s/article/K000148587

vendor-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 5, 2025
Vulnerability Reserved
Jan 22, 2025

Credit

F5 acknowledges Matei "Mal" Badanoiu @ Deloitte for bringing this issue to our attention and following the highest standards of coordinated disclosure.