CVE-2025-31644

HIGH

BIG-IP TMOS Shell - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-31644. PoCs published by mbadanoiu, cybersecplayground.

AI-analyzed exploit summary This repository provides a writeup for CVE-2025-31644, a command injection vulnerability in F5 BIG-IP's Appliance mode. It describes how an authenticated attacker with administrator privileges can achieve remote code execution as root via the 'file' parameter of the 'save' command.

Description

When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command which may allow an authenticated attacker with administrator role privileges to execute arbitrary system commands. A successful exploit can allow the attacker to cross a security boundary.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Exploits (2)

nomisec WRITEUP 24 stars
by mbadanoiu · poc
https://github.com/mbadanoiu/CVE-2025-31644

This repository provides a writeup for CVE-2025-31644, a command injection vulnerability in F5 BIG-IP's Appliance mode. It describes how an authenticated attacker with administrator privileges can achieve remote code execution as root via the 'file' parameter of the 'save' command.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: F5 BIG-IP (Appliance mode)
Auth required
Prerequisites: Valid user credentials · Access to iControl REST API or tmsh shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 7 stars
by cybersecplayground · poc
https://github.com/cybersecplayground/PoC-and-CVE-Reports/tree/main/2025/CVE-2025-31644.md

The repository contains detailed technical writeups for multiple CVEs, including CVE-2025-31644, with descriptions, proof-of-concept examples, and mitigation recommendations. It does not include functional exploit code but provides in-depth analysis of vulnerabilities.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Various (e.g., account_mgr.cgi, Ivanti Connect Secure, Zabbix, Check Point VPN, Bricks Builder)
No auth needed
Prerequisites: Access to vulnerable endpoints · Basic understanding of vulnerability exploitation
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
https://my.f5.com/manage/s/article/K000148591

Scores

CVSS v3 8.7
EPSS 0.2395
EPSS Percentile 97.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-77
Status published
Products (21)
f5/big-ip_access_policy_manager 15.1.0 - 15.1.10.7
f5/big-ip_advanced_firewall_manager 15.1.0 - 15.1.10.7
f5/big-ip_advanced_web_application_firewall 15.1.0 - 15.1.10.7
f5/big-ip_analytics 15.1.0 - 15.1.10.7
f5/big-ip_application_acceleration_manager 15.1.0 - 15.1.10.7
f5/big-ip_application_security_manager 15.1.0 - 15.1.10.7
f5/big-ip_application_visibility_and_reporting 15.1.0 - 15.1.10.7
f5/big-ip_automation_toolchain 15.1.0 - 15.1.10.7
f5/big-ip_carrier-grade_nat 15.1.0 - 15.1.10.7
f5/big-ip_container_ingress_services 15.1.0 - 15.1.10.7
... and 11 more
Published May 07, 2025
Tracked Since Feb 18, 2026