Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
  • Experiencing a breach?
  • Blog
  • Careers

  • Platform & Products

    • Singularity™ Platform

      Unified Enterprise Security. Machine-Speed Protection, Intelligence, and Response.

    • XDR

      Native and Open Protection, Detection, and Response.

    • Integrations and Partners

      One-Click Integrations to Unlock the Power of SentinelOne.

    Product Tours
    Pricing & Packages
    Get a Demo

  • Solutions & Use Cases

    SentinelOne for Industries

    Security Tuned for Your Industry.

    See All Industries
    • Healthcare

      Protect Patient Data. Keep Clinical Systems Online.

    • Financial Services

      Stop Fraud and Ransomware. Stay Audit-Ready.

    • Federal Government

      FedRAMP and IL5-Ready Defense for Federal Missions.

    • Manufacturing

      Defend OT, IT, IIOT, and Supply Chains at Scale.

    • Energy

      Secure OT Systems and Critical Infrastructure.

    • Transportation and Logistics

      Defend Operations Across Fleet, Port, and Rail.

    • Higher Education

      Protect Open Networks Without Slowing Research.

    • K-12 Education

      Stop Ransomware. Protect Students, Staff, and Data.

    • Retail and Hospitality

      Defend Your Brand, Customer Data, and Bottom Line.

    • SMB & Startups

      Enterprise-Grade Defense for Fast Teams.

    See all solutions

  • Services

    Managed Services

    Wayfinder Threat Detection and Response.

    Learn More
    • Threat Hunting

      World-Class Expertise and Threat Intelligence.

    • Managed Detection and Response

      24/7 Expert MDR Across Your Entire Environment.

    • Incident Readiness and Response

      DFIR, Breach Readiness, and Compromise Assessments.

    Experiencing a breach?

    Our experts are here to help 24/7.

    1-855-868-3733
    Get Help Now

  • Partners

    Become a Partner

    • Become a SentinelOne Partner

      Join the Global SentinelOne Ecosystem

    • Explore MSSP Solutions

      Services Succeed Faster with SentinelOne

    • Form a Technology Alliance

      Integrated, Enterprise-Scale Solutions

    Find a Partner

    • Enlist a Response or Advisory Team

      Enlist Pro Response and Advisory Teams

    • SentinelOne for AWS

      Hosted Across AWS Regions Worldwide

    • SentinelOne for Google

      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale

    • Partner Locator

      Your Go-to Source for Our Top Partners in Your Region

    • Singularity Marketplace

      One-Click Integrations for Unified Prevention, Detection, and Response

      Explore integrations
    Partner Portal Login

  • Why SentinelOne

    • Why Choose SentinelOne

      AI-Powered Cybersecurity Built to Secure What’s Next.

    • Our Customers

      Trusted by the World’s Leading Companies.

    • Industry Awards & Recognition

      Tested and Proven by the Experts.

  • Resources & Support

    Resources

    • Resource Center
    • Webinars
    • Cybersecurity Blog
    • Events
    • Newsroom

    Company

    • About SentinelOne
    • Careers
    • S Ventures
    • S Foundation
    • Dataset
    • FAQ
    • Investors Relations

    Customer Success & Support

    • Live and On-Demand Training
    • Guided Onboarding & Deployment
    • Technical Account Management
    • Support Services
    • Customer Portal
    • Get Support Now

    Explore

    • Vulnerability Database
    • SentinelLABS Threat Research
    • Ransomeware Anthology
    • Cybersecurity 101
    EventJoin us at OneCon (Oct. 20–22, 2026)
    CompetitionThreat Hunting World Championship 2026
    ReportThe SentinelOne Annual Threat Report
  • Pricing
Get StartedContact us

Explore SentinelOne

  • Pricing
Events
Get StartedContact us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-59481

CVE-2025-59481: F5 BIG-IP APM Privilege Escalation Flaw

CVE-2025-59481 is a privilege escalation vulnerability in F5 BIG-IP Access Policy Manager that enables authenticated attackers to execute system commands with elevated privileges and cross security boundaries.

Published: May 26, 2026

CVE-2025-59481 Overview

CVE-2025-59481 is a privilege escalation vulnerability affecting F5 BIG-IP products. An authenticated attacker holding at least the resource administrator role can execute arbitrary system commands at higher privileges through an undisclosed iControl REST endpoint and BIG-IP TMOS Shell (tmsh) command. The flaw is classified under CWE-250: Execution with Unnecessary Privileges and crosses a documented security boundary inside the BIG-IP management plane. F5 published advisory K000156642 on October 15, 2025. Software versions that have reached End of Technical Support (EoTS) were not evaluated by F5.

Critical Impact

Authenticated resource administrators on F5 BIG-IP can break out of role-based command restrictions and execute system commands with elevated privileges, leading to full appliance compromise.

Affected Products

  • F5 BIG-IP Local Traffic Manager (LTM), Access Policy Manager (APM), and Advanced WAF
  • F5 BIG-IP Advanced Firewall Manager (AFM), DNS, Global Traffic Manager, and SSL Orchestrator
  • F5 BIG-IP Application Security Manager (ASM), Policy Enforcement Manager, DDoS Hybrid Defender, Carrier-Grade NAT, Link Controller, Edge Gateway, WebAccelerator, Analytics, Application Acceleration Manager, Application Visibility and Reporting, Automation Toolchain, Container Ingress Services, Fraud Protection Service, and WebSafe

Discovery Timeline

  • 2025-10-15 - CVE-2025-59481 published to NVD and F5 advisory K000156642 released
  • 2026-02-04 - Last updated in NVD database

Technical Details for CVE-2025-59481

Vulnerability Analysis

The vulnerability resides in an undisclosed command exposed through both the iControl REST API and the BIG-IP TMOS Shell (tmsh). The affected code path executes with privileges higher than those granted to the calling role. An authenticated user with the resource administrator role, which is intended to be restricted from full system-level operations, can invoke the command to run arbitrary operating system commands on the BIG-IP appliance. This breaks the trust boundary between role-based administrative tiers and the underlying TMOS host.

The attack vector is network-based and does not require user interaction. F5 has not disclosed the specific command, function, or REST endpoint to limit pre-patch exploitation. Successful exploitation grants the attacker the ability to read sensitive configuration, modify traffic policies, pivot into adjacent management networks, and persist on the device.

Root Cause

The root cause maps to CWE-250: Execution with Unnecessary Privileges. A privileged helper or setuid-style execution path invoked by the affected tmsh and iControl REST handler does not adequately drop privileges or validate that the calling role is authorized to perform the underlying system operation. Resource administrators inherit access to system command execution that should be reserved for higher-privileged accounts.

Attack Vector

Exploitation requires valid credentials with at least the resource administrator role. The attacker reaches the BIG-IP management interface over the network, authenticates to iControl REST (typically https://<bigip>/mgmt/tm/...) or to tmsh over SSH, and invokes the undisclosed command with crafted arguments. The injected operating system commands run in the context of the elevated privilege boundary, yielding code execution on the appliance. Because F5 has not publicly disclosed the vulnerable endpoint, no public proof-of-concept exists at the time of writing.

Detection Methods for CVE-2025-59481

Indicators of Compromise

  • Unexpected tmsh command executions or shell spawns originating from accounts assigned the resource administrator role.
  • iControl REST POST or PUT requests to administrative endpoints from accounts that do not typically perform configuration changes.
  • New local users, modified SSH keys, or unauthorized changes to /config/bigip.conf and other TMOS configuration files.
  • Outbound network connections initiated by BIG-IP system processes that deviate from baseline traffic.

Detection Strategies

  • Forward BIG-IP audit logs (/var/log/audit, /var/log/restjavad-audit.0.log, /var/log/secure) to a centralized log platform and alert on tmsh command anomalies executed by non-admin roles.
  • Correlate iControl REST API calls with the authenticated user role, flagging resource administrator accounts that invoke endpoints typically used by full administrators.
  • Hunt for process lineage where management daemons (restjavad, tmsh, mcpd) spawn /bin/sh, /bin/bash, or other interpreters outside of normal maintenance windows.

Monitoring Recommendations

  • Baseline legitimate API usage per service account and alert on deviations in endpoint coverage, request volume, or source IP.
  • Enable BIG-IP appliance-mode where supported to restrict root shell access and reduce the blast radius of privilege escalation.
  • Monitor authentication logs for resource administrator logins from new geolocations, jump hosts, or service accounts that were previously dormant.

How to Mitigate CVE-2025-59481

Immediate Actions Required

  • Apply the fixed versions listed in F5 advisory K000156642 as soon as a maintenance window allows.
  • Inventory all BIG-IP accounts with the resource administrator role and remove unnecessary assignments.
  • Restrict access to the BIG-IP management interface (iControl REST and SSH/tmsh) to a dedicated management network and trusted bastion hosts only.
  • Rotate credentials and SSH keys for any administrative accounts that may have been exposed prior to patching.

Patch Information

F5 has released patched software versions for affected BIG-IP modules. Refer to the version matrix in F5 Security Advisory K000156642 for fixed releases that correspond to each affected branch. Versions that have reached End of Technical Support (EoTS) were not evaluated and should be upgraded to a supported, patched branch.

Workarounds

  • Limit the assignment of the resource administrator role to a minimal set of accounts and use higher-tier roles only on dedicated jump hosts.
  • Enforce network access controls on TCP/443 (iControl REST) and TCP/22 (tmsh over SSH) so that only authorized management subnets can reach the BIG-IP control plane.
  • Enable multi-factor authentication for all BIG-IP administrative accounts where supported via external authentication providers (RADIUS, TACACS+, or SAML).
bash
# Configuration example: restrict iControl REST and SSH access via self-IP port lockdown
tmsh modify net self <self-ip-name> allow-service { tcp:443 tcp:22 }
tmsh modify sys httpd allow replace-all-with { 10.0.0.0/24 }
tmsh modify sys sshd allow replace-all-with { 10.0.0.0/24 }
tmsh save sys config

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechF5 Big Ip Access Policy Manager
  • SeverityHIGH
  • CVSS Score8.5
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-250
  • NVD-CWE-noinfo
  • Vendor Resources
  • F5 Security Advisory K000156642
  • Related CVEs
  • CVE-2025-53521: F5 BIG-IP APM RCE Vulnerability
  • CVE-2025-61958: F5 BIG-IP APM Auth Bypass Vulnerability
  • CVE-2025-58424: F5 BIG-IP APM Information Disclosure Flaw
  • CVE-2025-54500: F5 BIG-IP APM DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
Get a DemoContact Us
  • Product Tours
  • Why SentinelOne
  • Pricing & Packages
  • FAQ
  • SentinelOne Status

Key Products & Solutions

  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Prompt Security
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Explore Solutions

Services

  • Wayfinder TDR
  • Managed Detection and Response
  • Threat Hunting
  • Incident Readiness
& Response
  • Technical Account Management
  • Guided Onboarding 
& Deployment
  • Support Services

Company

  • About Us
  • Our Customers
  • Careers
  • Partners
  • S1 Foundation
  • S1 Ventures
  • Legal Information
  • Security & Compliance
  • Investor Relations

Quick Links

  • Customer Portal
  • Partner Portal
  • Become a Partner
  • Resource Center
  • SentinelLABS Threat Research
  • Blog
  • Press Center
  • Cybersecurity 101
  • Events
  • Ransomware Anthology
©2026 SentinelOne, All Rights Reserved
Privacy NoticeTerms of Use
English
English