Command Injection in Appliance Mode in F5 BIG-IP (CVE-2025-31644)
Summary
| Vulnerability Name | Command Injection in Appliance Mode in F5 BIG-IP (CVE-2025-31644) |
| Released on | May 13, 2025 |
| Affected Component | F5 BIG-IP |
| Affected Version | 17.1.0 ≤ F5 BIG-IP < 17.1.2.2 16.1.0 ≤ F5 BIG-IP < 16.1.6 15.1.0 ≤ F5 BIG-IP < 15.1.10.7 |
| Vulnerability Type | Command injection |
| Exploitation Condition |
|
| Impact | Exploitation difficulty: difficult. Administrator privileges are required to exploit this vulnerability. Severity: high-risk. This vulnerability may lead to remote code execution. |
| Official Solution | Available |
About the Vulnerability
Component Introduction
F5 BIG-IP is an advanced application delivery controller (ADC) and load balancing device developed by F5 Networks. It is a type of network device widely used in large enterprises and data center environments to enhance application performance, availability, security, and scalability.
Vulnerability Description
On May 13, 2025, Sangfor FarSight Labs received notification of the command injection vulnerability in Appliance mode in F5 BIG-IP (CVE-2025-31644), classified as high-risk in threat level.
Specifically, when F5 BIG-IP runs in Appliance mode, a command injection vulnerability exists in TMOS Shell (tmsh) that may allow an authenticated attacker with the administrator role to execute arbitrary system commands, leading to server compromises.
Affected Versions
- 17.1.0 ≤ F5 BIG-IP < 17.1.2.2
- 16.1.0 ≤ F5 BIG-IP < 16.1.6
- 15.1.0 ≤ F5 BIG-IP < 15.1.10.7
Solutions
Remediation Suggestions
How to View the Component Version
You can run the cat VERSION command to view the version of the affected component.
Official Solution
New versions have been officially released to fix the vulnerability. Affected users are advised to update F5 BIG-IP to one of the following versions as needed:
- F5 BIG-IP 17.1.2.2
- F5 BIG-IP 16.1.6
- F5 BIG-IP 15.1.10.7
Download link: https://my.f5.com/manage/s/article/K000148591
Sangfor Solutions
Vulnerability Monitoring
The following Sangfor products support CVE-2025-31644 vulnerability monitoring and can identify affected assets and impact scope in business scenarios through traffic collection:
- Cyber Command: Monitoring solution available May 21, 2025. Rule ID: 11029220.
- Sangfor Cyber Guardian Platform: Monitoring solution available May 21, 2025. Rule ID: 11029220.
- Sangfor XDR: Monitoring solution available May 21, 2025. Rule ID: 11029220.
Vulnerability Prevention
The following Sangfor products can effectively block CVE-2025-31644 exploits:
- Network Secure: Prevention solution available May 21, 2025. Rule ID: 11029220.
- Sangfor Web Application Firewall: Prevention solution available May 21, 2025. Rule ID: 11029220.
- Sangfor Cyber Guardian Platform: Prevention solution available May 21, 2025. Rule ID: 11029220.
- Sangfor XDR: Prevention solution available May 21, 2025. Rule ID: 11029220.
Timeline
- May 13, 2025: Sangfor FarSight Labs received notification of the vulnerability.
- May 13, 2025: Sangfor FarSight Labs released a vulnerability alert.
References
https://my.f5.com/manage/s/article/K000148591
Learn More
Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence.
