Big Ip Advanced Web Application Firewall
CVE-2025-20029
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated attacker to execute arbitrary system commands.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
F5 BIG-IP contains an authenticated command injection in the iControl REST API and TMOS Shell (tmsh) save command. Authenticated attackers can inject system commands through crafted save operations, executing arbitrary code on the BIG-IP appliance which typically handles load balancing and SSL termination for critical application infrastructure.
Technical ContextAI
The tmsh save command processes user-supplied parameters without adequate sanitization before passing them to underlying system commands. An authenticated user with access to iControl REST or tmsh can inject shell metacharacters that execute arbitrary commands. BIG-IP appliances run a modified Linux OS and the exploitation context provides access to TLS private keys, configuration secrets, and network traffic.
RemediationAI
Apply the latest F5 security hotfix. Restrict iControl REST access to management networks only. Implement multi-factor authentication for BIG-IP admin access. Monitor tmsh command logs for unusual save operations. Rotate TLS certificates if compromise is suspected.
When Client or Server SSL profiles are configured on a Virtual Server, or DNSSEC signing operations are in use, undisclo
When a Session Initiation Protocol (SIP) message routing framework (MRF) application layer gateway (ALG) profile is conf
When SNMP v1 or v2c are disabled on the BIG-IP, undisclosed requests can cause an increase in memory resource utilizatio
When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase i
When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS
BIG-IP Advanced WAF and ASM experience denial of service when processing specific requests under certain conditions, cau
Big-Ip Access Policy Manager is affected by user interface (ui) misrepresentation of critical information (CVSS 3.1).
An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to bre
When a BIG-IP LTM Client SSL profile is configured on a virtual server with SSL Forward Proxy enabled and Anonymous Diff
When HTTP/2 client and server profile is configured on a virtual server, undisclosed requests can cause TMM to terminate
When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can c
A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today