CVE-2025-20029
Published: 05 February 2025
Description
Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated attacker to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Security Summary
CVE-2025-20029 is a command injection vulnerability (CWE-78) present in the iControl REST interface and the BIG-IP TMOS Shell (tmsh) save command of F5 BIG-IP systems. Published on 2025-02-05, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this issue.
An authenticated attacker with low privileges (PR:L) can exploit the vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation enables the execution of arbitrary system commands on the affected BIG-IP system, granting high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H).
Mitigation details, including available patches, are outlined in the F5 security advisory at https://my.f5.com/manage/s/article/K000148587.
Details
- CWE(s)