CVE-2025-36546 Overview
CVE-2025-36546 is an authorization bypass vulnerability affecting F5OS systems that allows unauthorized SSH access when specific configuration conditions are met. On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode, access via SSH key-based authentication is still allowed. This represents a critical security control bypass, as Appliance Mode is designed to restrict root-level access for compliance and security purposes.
For an attacker to exploit this vulnerability, they must obtain the root user's SSH private key. While this prerequisite adds complexity to exploitation, the potential for complete system compromise makes this a critical-severity vulnerability requiring immediate attention.
Critical Impact
Attackers with access to the root user's SSH private key can bypass Appliance Mode restrictions and gain unauthorized root-level access to F5OS systems, potentially compromising network infrastructure security controls.
Affected Products
- F5 F5OS-A (all versions prior to patch)
- F5 F5OS-C (all versions prior to patch)
Discovery Timeline
- 2025-05-07 - CVE CVE-2025-36546 published to NVD
- 2025-10-21 - Last updated in NVD database
Technical Details for CVE-2025-36546
Vulnerability Analysis
This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a fundamental flaw in how F5OS handles authorization decisions when transitioning between security modes. The core issue lies in the system's failure to properly invalidate or revoke pre-existing SSH key-based authentication configurations when Appliance Mode is enabled.
Appliance Mode is a security feature designed to limit root access and enforce stricter security controls, often required for regulatory compliance in sensitive environments. When enabled, it should effectively disable root user access via traditional methods. However, this vulnerability demonstrates that previously configured SSH key authentication persists through the mode transition, creating a security gap.
The network-based attack vector makes this vulnerability particularly concerning for organizations exposing F5OS management interfaces to networks where attackers might operate. While exploitation requires possession of the root user's SSH private key, this prerequisite may be satisfied through various means including compromised backup systems, insider threats, or previous security incidents.
Root Cause
The root cause of CVE-2025-36546 is a logic error in F5OS's security mode transition process. When Appliance Mode is enabled, the system fails to properly audit and revoke existing SSH key-based authentication configurations for the root user. This creates an inconsistent security state where the system reports Appliance Mode as active while still honoring legacy authentication methods that Appliance Mode is designed to prevent.
The authorization check mechanism does not properly evaluate whether SSH key authentication should be permitted under Appliance Mode restrictions, instead deferring to the pre-existing authentication configuration regardless of the current operational mode.
Attack Vector
The attack vector for this vulnerability is network-based, requiring the attacker to have network connectivity to the F5OS system's SSH service. The attack scenario involves:
- The F5OS system must have been previously configured to allow root SSH key-based authentication
- An administrator subsequently enables Appliance Mode, expecting root access to be restricted
- An attacker who has obtained the root user's SSH private key (through theft, compromise, or other means) can still authenticate
- Upon successful authentication, the attacker gains full root-level access to the F5OS system
The vulnerability mechanism involves the SSH authentication subsystem continuing to honor pre-configured public key entries in the root user's authorized_keys file even after Appliance Mode activation. Administrators would reasonably expect that enabling Appliance Mode would invalidate such access, but the authorization logic fails to enforce this restriction.
Detection Methods for CVE-2025-36546
Indicators of Compromise
- Unexpected SSH login attempts or successful authentications to the root account on F5OS systems
- SSH connections to F5OS management interfaces from unexpected source IP addresses
- Root user activity in system logs while Appliance Mode is reportedly enabled
- Changes to system configurations or security settings under the root context
Detection Strategies
- Review SSH authentication logs for root user login events on F5OS systems operating in Appliance Mode
- Implement network monitoring to detect SSH connections to F5OS management interfaces from unauthorized sources
- Deploy SIEM correlation rules to alert on root user authentication events when Appliance Mode is active
- Conduct periodic audits of root user authorized_keys configurations on F5OS systems
Monitoring Recommendations
- Enable comprehensive logging for all SSH authentication events on F5OS systems
- Configure alerting for any root user access attempts when Appliance Mode is enabled
- Monitor for anomalous administrative activity patterns on network infrastructure devices
- Implement network segmentation and access controls for F5OS management interfaces
How to Mitigate CVE-2025-36546
Immediate Actions Required
- Review all F5OS systems to identify those with Appliance Mode enabled and prior root SSH key authentication configuration
- Remove SSH public keys from the root user's authorized_keys file on affected systems
- Restrict network access to F5OS management interfaces to trusted administrative networks only
- Audit SSH private key storage and distribution to identify potential compromise
- Apply the vendor patch as soon as it becomes available
Patch Information
F5 has released a security advisory addressing this vulnerability. Administrators should consult the F5 Support Article (K000140574) for detailed patch information and upgrade guidance. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.
Workarounds
- Manually remove all SSH public keys from the root user's authorized_keys file before or after enabling Appliance Mode
- Implement network-level access controls to restrict SSH access to F5OS management interfaces from trusted sources only
- Rotate any potentially compromised root SSH private keys and ensure they are not reused
- Consider disabling SSH key-based authentication entirely for the root user if not operationally required
# Remove root user SSH authorized keys on F5OS systems
# Connect to F5OS system and execute:
rm -f /root/.ssh/authorized_keys
# Alternatively, verify no authorized keys exist:
ls -la /root/.ssh/
# Restrict SSH access via firewall rules (example)
# Limit SSH to management network only
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
