CVE-2025-61958 Overview
CVE-2025-61958 is a security boundary bypass vulnerability in the F5 BIG-IP iHealth command. An authenticated attacker holding at least the resource administrator role can escape the Traffic Management Shell (tmsh) restricted environment and obtain access to an unrestricted bash shell. On BIG-IP systems configured in Appliance mode, successful exploitation crosses a documented security boundary, granting interactive operating system access that Appliance mode is specifically designed to prevent. The flaw is tracked under [CWE-250: Execution with Unnecessary Privileges]. F5 has published guidance in F5 Support Article K000154647. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this issue.
Critical Impact
An authenticated resource administrator can bypass tmsh restrictions on BIG-IP Appliance mode systems to gain bash shell access, breaking the appliance security boundary and exposing the underlying operating system.
Affected Products
- F5 BIG-IP Local Traffic Manager, Access Policy Manager, and Advanced Firewall Manager
- F5 BIG-IP Advanced Web Application Firewall, Application Security Manager, and SSL Orchestrator
- F5 BIG-IP DNS, Global Traffic Manager, Link Controller, Policy Enforcement Manager, Carrier-Grade NAT, DDoS Hybrid Defender, Edge Gateway, WebAccelerator, Analytics, Application Acceleration Manager, Application Visibility and Reporting, Automation Toolchain, Container Ingress Services, Fraud Protection Service, and WebSafe
Discovery Timeline
- 2025-10-15 - CVE-2025-61958 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2025-61958
Vulnerability Analysis
The BIG-IP platform restricts administrative users to the Traffic Management Shell (tmsh), a constrained command interpreter that exposes only sanctioned configuration operations. Appliance mode further enforces this restriction by removing the ability to drop to an underlying bash shell, treating the device as a sealed appliance.
The iHealth command, used for collecting diagnostic data and uploading qkview files to F5 iHealth services, fails to fully constrain command execution within the tmsh sandbox. An authenticated user with the resource administrator role (or higher) can invoke iHealth in a manner that allows shell command execution outside the restricted shell.
The result is direct access to bash with the privileges of the BIG-IP management plane, bypassing the Appliance mode security boundary documented by F5.
Root Cause
The root cause aligns with CWE-250 (Execution with Unnecessary Privileges). The iHealth utility executes underlying system operations without enforcing the same command filtering and shell containment that tmsh applies to other administrative actions. This design gap allows a privileged subcommand path to break out of the restricted interpreter.
Attack Vector
Exploitation requires valid credentials with at least the resource administrator role and network access to the BIG-IP management interface (SSH or Configuration utility). The attacker authenticates, launches the iHealth command via tmsh, and leverages the unsanitized execution path to spawn a bash shell. No user interaction is required beyond the attacker's own session.
No public proof-of-concept code is available, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. F5 has not published exploitation details. See the F5 Support Article K000154647 for vendor analysis.
Detection Methods for CVE-2025-61958
Indicators of Compromise
- Unexpected bash process spawned as a child of tmsh or the iHealth command on BIG-IP management hosts.
- Audit log entries showing iHealth invocations by resource administrator accounts followed by interactive shell activity.
- New or modified files in user home directories or /var/tmp immediately after an iHealth session.
Detection Strategies
- Review /var/log/audit and /var/log/secure for tmsh sessions that transition to bash without an explicit run /util bash request from a permitted administrator.
- Monitor for iHealth command usage outside of scheduled diagnostic or support workflows.
- Correlate authentication events against the change-management record to identify unauthorized resource administrator activity.
Monitoring Recommendations
- Forward BIG-IP audit, secure, and tmsh history logs to a centralized SIEM for retention and correlation.
- Alert on any process tree where iHealth or tmsh is the parent of /bin/bash, /bin/sh, or other interpreters.
- Track creation of qkview archives in /var/tmp and correlate with the invoking user identity.
How to Mitigate CVE-2025-61958
Immediate Actions Required
- Apply the fixed BIG-IP software versions referenced in F5 Support Article K000154647 as soon as maintenance windows allow.
- Audit all accounts with resource administrator or higher roles and remove privileges that are not required for current job functions.
- Restrict management plane access to a dedicated administrative network and enforce multi-factor authentication for all administrative logins.
Patch Information
F5 has issued fixed software versions for supported BIG-IP branches. Refer to F5 Support Article K000154647 for the authoritative list of fixed releases per product module. Versions that have reached End of Technical Support are not evaluated and should be upgraded to a supported branch.
Workarounds
- Limit use of the iHealth command to a small set of trusted operators and revoke the capability from general resource administrators where feasible.
- Enforce Appliance mode and verify the configuration after every upgrade or restore to ensure restricted shell policy is active.
- Use jump hosts and session recording for all BIG-IP administrative access to provide post-incident forensic evidence.
# Configuration example: verify Appliance mode and restrict admin shell access
tmsh show /sys global-settings | grep -i appliance-mode
tmsh modify /auth user <username> shell tmsh
tmsh list /auth user | grep -E 'shell|partition-access'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
