CVE-2025-20029

HIGH

F5 BIG-IP 15.1.0-15.1.10.6 - Authenticated OS Command Injection via iControl REST and TMOS Shell Save Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-20029. PoCs published by mbadanoiu, cybersecplayground, schoi1337.

AI-analyzed exploit summary This repository provides a writeup for CVE-2025-20029, a command injection vulnerability in the F5 BIG-IP TMSH CLI. It describes how an authenticated attacker can bypass restrictions and achieve remote code execution as root.

Description

Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated attacker to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Exploits (3)

nomisec WRITEUP 22 stars
by mbadanoiu · poc
https://github.com/mbadanoiu/CVE-2025-20029

This repository provides a writeup for CVE-2025-20029, a command injection vulnerability in the F5 BIG-IP TMSH CLI. It describes how an authenticated attacker can bypass restrictions and achieve remote code execution as root.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: F5 BIG-IP (version not specified)
Auth required
Prerequisites: Valid user credentials · Access to iControl REST or tmsh commands
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 7 stars
by cybersecplayground · poc
https://github.com/cybersecplayground/PoC-and-CVE-Reports/tree/main/2025/CVE-2025-20029.md

The repository contains detailed technical writeups for multiple CVEs, including command injection, XXE, SQLi, and RCE vulnerabilities. Each writeup provides vulnerability overviews, proof-of-concept details, and mitigation recommendations.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Various (e.g., account_mgr.cgi, Ivanti Connect Secure, Zabbix, Check Point VPN, Bricks Builder)
No auth needed
Prerequisites: Access to vulnerable endpoints · Basic understanding of exploit techniques
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 3 stars
by schoi1337 · poc
https://github.com/schoi1337/CVE-2025-20029-simulation

This repository contains a working proof-of-concept for CVE-2025-20029, a command injection vulnerability in F5 BIG-IP's iControl REST API. It includes a Flask-based simulation of the vulnerable endpoint and an exploit script to demonstrate remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: F5 BIG-IP iControl REST API
Auth required
Prerequisites: Docker · Python 3.8+ · Authenticated access to the iControl REST API
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
https://my.f5.com/manage/s/article/K000148587

Scores

CVSS v3 8.8
EPSS 0.0784
EPSS Percentile 93.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (21)
f5/big-ip_access_policy_manager 15.1.0 - 15.1.10.6
f5/big-ip_advanced_firewall_manager 15.1.0 - 15.1.10.6
f5/big-ip_advanced_web_application_firewall 15.1.0 - 15.1.10.6
f5/big-ip_analytics 15.1.0 - 15.1.10.6
f5/big-ip_application_acceleration_manager 15.1.0 - 15.1.10.6
f5/big-ip_application_security_manager 15.1.0 - 15.1.10.6
f5/big-ip_application_visibility_and_reporting 15.1.0 - 15.1.10.6
f5/big-ip_automation_toolchain 15.1.0 - 15.1.10.6
f5/big-ip_carrier-grade_nat 15.1.0 - 15.1.10.6
f5/big-ip_container_ingress_services 15.1.0 - 15.1.10.6
... and 11 more
Published Feb 05, 2025
Tracked Since Feb 18, 2026