CVE-2025-31644 | Big-IP | RCE
| Vulnerability | CVE-2025-31644 |
|---|---|
| Type | Authenticated Command Injection / Remote Code Execution |
| Description | When BIG‑IP runs in Appliance mode, the file parameter of the save sys config command is forwarded to underlying shell utilities without sanitisation. An authenticated user with the Administrator role can inject shell metacharacters (e.g. back‑ticks) via the iControl REST endpoint /mgmt/tm/sys/config or through an SSH tmsh session, achieving arbitrary command execution as root and bypassing the Appliance‑mode restriction on Bash access. |
| Affected Systems | - BIG‑IP 17.x: 17.1.0 – 17.1.2.1 - BIG‑IP 16.x: 16.1.0 – 16.1.5.x - BIG‑IP 15.x: 15.1.0 – 15.1.10.6 |
| Attack Vector | Network‑accessible management interfaces (iControl REST or SSH). Requires valid Administrator credentials. |
| Exploit Mechanism | - Through SSH: Inject shell commands into the file option of save sys config, e.g.save sys config file /var/tmp/`bash'${IFS}-c${IFS}'id'${IFS}>&2`.scf no-passphrase- Through /mgmt API: Crafted POST to /mgmt/tm/sys/config. The injected payload executes under root, even if the REST call returns HTTP 400. |
| Impact of the Bug | - Full remote code execution as root - Complete takeover of BIG‑IP and stored secrets - Lateral movement into adjacent networks - Ability to disable security controls |
| Detection Techniques | - Log correlation for save sys config invocations that contain shell metacharacters or unexpected paths.- Monitor secure / auditd logs for unexpected bash/sh children of tmsh or the iControl REST Java process restjavad. |
| IOCs Related to Exploitation | - Log entries showing bash -c spawned by tmsh or REST process.- REST API requests with encoded back‑ticks (%60) in the file parameter. |
| Mitigation Steps | - Patch immediately: 17.1.2.2, 16.1.6, or 15.1.10.7 (or later). - Restrict management/API access to trusted networks/VPNs. - Enforce MFA for all administrative accounts. |
| Workaround (if available) | No official workaround. Disabling Appliance mode does not remove the vulnerable code path; only vendor patches fully mitigate the risk. Restrict management access as a temp measure. |
| References | - NVD: CVE‑2025‑31644 - F5 Security Advisory K000148591 - Tenable - Public PoC |