CVE-2025-24320 Overview
A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the F5 BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. This vulnerability represents an incomplete fix for CVE-2024-31156, indicating that the original patch did not fully address all attack vectors for the stored XSS condition.
The vulnerability affects the BIG-IP Configuration utility, a web-based management interface used by administrators to configure and manage F5 BIG-IP appliances. When exploited, an attacker with low-level privileges can inject malicious JavaScript that persists in the application and executes when other authenticated users access the affected page.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in the browser context of administrators managing BIG-IP infrastructure, potentially leading to session hijacking, configuration changes, or credential theft.
Affected Products
- F5 BIG-IP Access Policy Manager
- F5 BIG-IP Advanced Firewall Manager
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Analytics
- F5 BIG-IP Application Acceleration Manager
- F5 BIG-IP Application Security Manager
- F5 BIG-IP Application Visibility and Reporting
- F5 BIG-IP Automation Toolchain
- F5 BIG-IP Carrier-Grade NAT
- F5 BIG-IP Container Ingress Services
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Domain Name System
- F5 BIG-IP Edge Gateway
- F5 BIG-IP Fraud Protection Service
- F5 BIG-IP Global Traffic Manager
- F5 BIG-IP Link Controller
- F5 BIG-IP Local Traffic Manager
- F5 BIG-IP Policy Enforcement Manager
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP WebAccelerator
- F5 BIG-IP WebSafe
Discovery Timeline
- February 5, 2025 - CVE-2025-24320 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-24320
Vulnerability Analysis
This stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) exists within the BIG-IP Configuration utility web interface. The flaw allows authenticated users to inject malicious JavaScript code that is stored on the server and subsequently rendered without proper sanitization when other users access the affected page.
The vulnerability is particularly concerning because it represents an incomplete remediation of CVE-2024-31156, suggesting that the original fix missed certain input vectors or encoding scenarios that could still be leveraged for XSS attacks. This pattern of incomplete patches often indicates complex input handling where multiple entry points exist for the same type of vulnerability.
Given that the BIG-IP Configuration utility is used by administrators to manage critical network infrastructure, successful exploitation could allow attackers to perform actions with administrator privileges, including modifying traffic policies, accessing sensitive configuration data, or establishing persistent access to the management interface.
Root Cause
The vulnerability stems from insufficient input validation and output encoding in the BIG-IP Configuration utility. Despite the previous patch for CVE-2024-31156, certain user-supplied input is still not properly sanitized before being stored in the application and later rendered in the browser context of other users. This indicates that the original fix did not comprehensively address all input fields or encoding contexts where malicious scripts could be injected.
Attack Vector
The attack requires network access to the BIG-IP Configuration utility and valid user credentials (low privilege level). The attacker submits specially crafted input containing JavaScript code through the vulnerable page. This payload is stored on the server and persists until cleaned or overwritten. When another authenticated user (typically an administrator) navigates to the affected page, the stored malicious script executes in their browser session.
The stored nature of this XSS makes it more dangerous than reflected XSS because it does not require social engineering to trick victims into clicking malicious links—the payload is served directly from the trusted BIG-IP management interface. Successful exploitation can lead to session token theft, unauthorized administrative actions, or further lateral movement within the network infrastructure.
Detection Methods for CVE-2025-24320
Indicators of Compromise
- Unusual JavaScript content or encoded script tags stored in BIG-IP Configuration utility database or configuration files
- Unexpected HTTP requests originating from administrator sessions to external domains
- Anomalous administrative actions logged in BIG-IP audit logs that the administrator did not perform
- Browser developer console errors or warnings related to cross-origin requests during Configuration utility usage
Detection Strategies
- Monitor BIG-IP audit logs for configuration changes that correlate with unusual access patterns or times
- Implement Content Security Policy (CSP) headers on the Configuration utility to detect and block inline script execution
- Deploy network monitoring to identify suspicious outbound connections from management interfaces
- Review stored data in the Configuration utility for unexpected HTML or JavaScript content
Monitoring Recommendations
- Enable comprehensive logging on BIG-IP management interfaces and forward logs to a SIEM solution
- Configure alerts for administrative actions that occur outside normal business hours or from unexpected source IPs
- Regularly review user session activity in the Configuration utility for signs of session hijacking
- Monitor for failed authentication attempts followed by successful access, which may indicate credential theft
How to Mitigate CVE-2025-24320
Immediate Actions Required
- Apply the security patches referenced in F5 Security Article K000140578 immediately
- Restrict network access to the BIG-IP Configuration utility to trusted management networks only
- Review and audit all user accounts with access to the Configuration utility, removing unnecessary privileges
- Enable multi-factor authentication for administrative access where supported
Patch Information
F5 has released security updates to address this vulnerability. Organizations should consult the F5 Security Article K000140578 for specific patch versions applicable to their BIG-IP deployment. Note that software versions that have reached End of Technical Support (EoTS) are not evaluated and may require upgrades to supported versions.
Workarounds
- Limit access to the BIG-IP Configuration utility to only essential administrative personnel
- Use network segmentation to isolate management interfaces from general network traffic
- Implement a web application firewall (WAF) in front of the Configuration utility if external access is required
- Consider disabling the web-based Configuration utility and using CLI or API-based management until patches are applied
# Example: Restrict Configuration utility access via network ACL
# Add to BIG-IP configuration to limit management interface access
modify sys httpd allow { 10.0.0.0/8 192.168.1.0/24 }
save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
