CVE-2025-20029
Published: 05 February 2025
Summary
CVE-2025-20029 is a high-severity OS Command Injection (CWE-78) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-20029 is a command injection vulnerability (CWE-78) affecting the iControl REST interface and the BIG-IP TMOS Shell (tmsh) save command on F5 BIG-IP systems. An authenticated user can supply crafted input that results in execution of arbitrary operating system commands. The flaw carries a CVSS 4.0 score of 8.7, reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
An authenticated attacker with access to either iControl REST or tmsh can exploit the issue to run system-level commands on the affected BIG-IP device. Successful exploitation grants the attacker the ability to read, modify, or delete data and potentially disrupt device operation without requiring user interaction.
F5 has published mitigation guidance in knowledge article K000148587, which addresses affected software versions and recommended remediation steps. The current EPSS score of 0.6618 indicates moderate exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2142
Vulnerability details
Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated attacker to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public iControl REST/tmsh interface directly enables remote arbitrary command execution (T1190 + T1059.004) from low-privileged auth, resulting in full system compromise (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the command injection vulnerability by requiring timely identification, reporting, and patching of the specific flaw in iControl REST and tmsh save command as per the F5 advisory.
Prevents command injection (CWE-78) by enforcing input validation mechanisms at the iControl REST and tmsh interfaces to reject malformed or malicious inputs.
Limits the impact of arbitrary command execution by ensuring authenticated low-privilege users and affected processes operate with least privilege on the BIG-IP system.