Summary:
Proof-of-concept (POC) code has been released on GitHub for a high severity command injection vulnerability in F5’s iControl REST API and BIG-IP Traffic Management Shell (TMSH) command-line interface. Tracked as CVE-2025-20029, the flaw allows authenticated attackers to execute arbitrary commands by sending a specially crafted request remotely through iControl REST and locally through a crafted tmsh command. Successful exploitation could grant attackers remote code execution as the “root” user, enabling data theft, network traffic interception, and lateral movement across the network. Although no in-the-wild attacks have been reported, the availability of the POC raises concerns about potential intrusions targeting systems vulnerable to CVE-2025-20029.

Security Officer Comments:
The POC exploits a vulnerability in the tmsh command-line interface's save functionality, stemming from inadequate input sanitization. This flaw allows attackers to inject malicious parameters containing shell metacharacters like ; or } , bypassing F5’s restricted command environment due to improper handling of user-supplied arguments passed to system() calls. Although exploitation requires valid credentials, the attack chain remains relatively simple to execute because of the predictable structure of the vulnerable command sequences.

Suggested Corrections:
Administrators should immediately upgrade to BIG-IP v16.1.4.2 or a later version to address CVE-2025-20029. Additionally, access to the tmsh CLI should be restricted to essential users, while role assignments should be regularly audited to ensure proper access control. Furthermore, monitoring system logs for any unusual save commands or partition modifications is essential to detect and respond to potential exploitation attempts early.

Link(s):
https://gbhackers.com/f5-big-ip-command-injection-vulnerability/