CVE-2025-31644 PoC — F5 iControl REST和F5 BIG-IP TMOS Shell 命令注入漏洞

Source

Associated Vulnerability

Description

CVE-2025-31644: Command Injection in Appliance mode in F5 BIG-IP

Readme

# CVE-2025-31644: Command Injection in Appliance mode in F5 BIG-IP

The “file” parameter of the “save” command is vulnerable to a command injection attack, allowing an authenticated attacker with administrator privileges to the “/mgmt” web API or the SSH “tmsh” shell, to obtain remote code execution as the “root” user on the target system.

**Note:** This finding is only considered a vulnerability when BIG-IP is run in Appliance mode as this may allow an authenticated attacker with administrator role to bypass the Appliance mode security that would otherwise prevent the execution of arbitrary Advanced Shell (bash) commands.

### Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found [here](https://my.f5.com/manage/s/article/K000148591).

### Requirements:

This vulnerability requires:
<br/>
- Valid user credentials
- The capability to send requests to the iControl REST component and/or the capability to execute tmsh commands

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2025-31644/blob/main/F5%20-%20CVE-2025-31644.pdf).

File Snapshot

 [4.0K]  /data/pocs/afe86b6cb8118be5540a5449bedc2a055b99c406
├── [375K]  F5 - CVE-2025-31644.pdf
└── [1.1K]  README.md

0 directories, 2 files

Remarks