CVE-2025-20029: F5 BIG-IP Access Policy Manager RCE Flaw

CVE-2025-20029 Overview

A command injection vulnerability exists in F5 BIG-IP's iControl REST API and BIG-IP TMOS Shell (tmsh) save command. This vulnerability allows an authenticated attacker to execute arbitrary system commands on the underlying operating system. The flaw affects a wide range of F5 BIG-IP products, making it a significant security concern for organizations relying on F5 infrastructure for application delivery and security.

Critical Impact

Authenticated attackers can achieve arbitrary command execution on F5 BIG-IP systems through the iControl REST API or tmsh save command, potentially leading to complete system compromise.

Affected Products

• F5 BIG-IP Local Traffic Manager
• F5 BIG-IP Access Policy Manager
• F5 BIG-IP Advanced Firewall Manager
• F5 BIG-IP Advanced Web Application Firewall
• F5 BIG-IP Application Security Manager
• F5 BIG-IP Analytics
• F5 BIG-IP Application Acceleration Manager
• F5 BIG-IP Application Visibility and Reporting
• F5 BIG-IP Automation Toolchain
• F5 BIG-IP Carrier-Grade NAT
• F5 BIG-IP Container Ingress Services
• F5 BIG-IP DDoS Hybrid Defender
• F5 BIG-IP Domain Name System
• F5 BIG-IP Edge Gateway
• F5 BIG-IP Fraud Protection Service
• F5 BIG-IP Global Traffic Manager
• F5 BIG-IP Link Controller
• F5 BIG-IP Policy Enforcement Manager
• F5 BIG-IP SSL Orchestrator
• F5 BIG-IP WebAccelerator
• F5 BIG-IP WebSafe

Discovery Timeline

• February 5, 2025 - CVE-2025-20029 published to NVD
• October 21, 2025 - Last updated in NVD database

Technical Details for CVE-2025-20029

Vulnerability Analysis

This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists within the iControl REST interface and the tmsh save command functionality of F5 BIG-IP systems.

The vulnerability allows authenticated users with access to either the iControl REST API or the tmsh shell to inject and execute arbitrary operating system commands. While authentication is required, this significantly lowers the barrier for exploitation since compromised credentials or malicious insiders could leverage this flaw for privilege escalation or lateral movement within the network.

With an EPSS score of 58.328% (98th percentile), this vulnerability demonstrates a high probability of exploitation in the wild, making immediate remediation critical.

Root Cause

The root cause of CVE-2025-20029 lies in insufficient input validation and sanitization within the save command processing logic. When user-supplied input is passed to the save functionality, the application fails to properly neutralize special characters and shell metacharacters before constructing and executing system commands.

This allows attackers to escape the intended command context and inject additional commands that will be executed with the privileges of the BIG-IP system process. The vulnerability affects both the REST API endpoint and the interactive tmsh shell interface, indicating a shared underlying code path or validation routine.

Attack Vector

The attack vector for this vulnerability is network-based, requiring the attacker to have authenticated access to either the iControl REST API or direct tmsh shell access. The exploitation flow typically involves:

1. The attacker authenticates to the BIG-IP system using valid credentials (obtained through phishing, credential stuffing, or insider access)
2. The attacker crafts a malicious request to the iControl REST API or executes a specially crafted tmsh save command
3. The malicious payload contains shell metacharacters that break out of the intended command context
4. The injected commands execute with the privileges of the BIG-IP system, potentially allowing full system compromise

The vulnerability does not require user interaction beyond initial authentication, and exploitation can be performed remotely over the network. The save command functionality is commonly used in administrative operations, making this attack vector particularly concerning as it may blend with legitimate administrative traffic.

Detection Methods for CVE-2025-20029

Indicators of Compromise

• Unusual or unexpected commands appearing in BIG-IP system logs following save operations
• Anomalous process spawning from tmsh or iControl REST service processes
• Unexpected outbound network connections from BIG-IP management interfaces
• Modified system files or configurations not attributable to authorized administrative actions
• Evidence of shell metacharacters (;, |, &, $(), backticks) in iControl REST API request logs

Detection Strategies

• Monitor iControl REST API logs for requests containing shell metacharacters or unusual command patterns in the save endpoint
• Implement behavioral analysis to detect anomalous command execution patterns on BIG-IP systems
• Deploy network intrusion detection signatures to identify exploitation attempts targeting the iControl REST API
• Enable comprehensive audit logging on BIG-IP systems and centralize logs for security analysis

Monitoring Recommendations

• Enable detailed logging for all iControl REST API calls and tmsh command execution
• Configure SIEM alerting for command injection patterns in BIG-IP logs (look for ;, |, &&, ||, $() in command parameters)
• Monitor for unauthorized process creation or unexpected child processes from BIG-IP services
• Implement file integrity monitoring on critical BIG-IP system files and configurations

How to Mitigate CVE-2025-20029

Immediate Actions Required

• Apply the security patches provided by F5 as documented in their security advisory immediately
• Restrict network access to iControl REST API and management interfaces to trusted IP addresses only
• Review and audit all accounts with access to the BIG-IP management plane and remove unnecessary privileges
• Implement strong authentication mechanisms including multi-factor authentication for management access
• Monitor for exploitation attempts using the detection strategies outlined above

Patch Information

F5 has released security patches to address this vulnerability. Organizations should consult the F5 Security Advisory K000148587 for detailed patch information, affected version numbers, and upgrade guidance specific to their deployment. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable.

Workarounds

• Restrict access to the iControl REST API and tmsh interfaces to only essential administrative users and trusted networks
• Implement network segmentation to isolate BIG-IP management interfaces from general network traffic
• Use firewall rules or BIG-IP self-IP port lockdown to limit access to management services
• Consider implementing a jump server or bastion host for all BIG-IP administrative access to provide additional logging and access control

# Example: Restrict iControl REST API access using BIG-IP self-IP port lockdown
# Access the Configuration utility > Network > Self IPs
# For each self IP used for management:
#   - Set Port Lockdown to "Allow Custom"
#   - Add only necessary ports/protocols for your environment
#   - Remove unnecessary default allowed services

# Alternative: Use iptables on the BIG-IP (advanced users only)
# Note: Test thoroughly in non-production first
tmsh modify sys db config.allow.rfc3927 value enable