Cyber Resilience

CVE-2025-20029

HighRCE

Published: 05 February 2025

Published
05 February 2025
Modified
21 October 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.6618 98.5th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20029 is a high-severity OS Command Injection (CWE-78) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-20029 is a command injection vulnerability (CWE-78) affecting the iControl REST interface and the BIG-IP TMOS Shell (tmsh) save command on F5 BIG-IP systems. An authenticated user can supply crafted input that results in execution of arbitrary operating system commands. The flaw carries a CVSS 4.0 score of 8.7, reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

An authenticated attacker with access to either iControl REST or tmsh can exploit the issue to run system-level commands on the affected BIG-IP device. Successful exploitation grants the attacker the ability to read, modify, or delete data and potentially disrupt device operation without requiring user interaction.

F5 has published mitigation guidance in knowledge article K000148587, which addresses affected software versions and recommended remediation steps. The current EPSS score of 0.6618 indicates moderate exploitation interest following disclosure.

EU & UK References

Vulnerability details

Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated attacker to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Command injection in public iControl REST/tmsh interface directly enables remote arbitrary command execution (T1190 + T1059.004) from low-privileged auth, resulting in full system compromise (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24320Same product: F5 Big-Ip Access Policy Manager
CVE-2025-20058Same product: F5 Big-Ip Access Policy Manager
CVE-2025-21091Same product: F5 Big-Ip Access Policy Manager
CVE-2025-20045Same product: F5 Big-Ip Access Policy Manager
CVE-2025-21087Same product: F5 Big-Ip Access Policy Manager
CVE-2025-23239Same product: F5 Big-Ip Access Policy Manager
CVE-2025-22846Same product: F5 Big-Ip Access Policy Manager
CVE-2025-24497Same product: F5 Big-Ip Policy Enforcement Manager
CVE-2025-53521Same product: F5 Big-Ip Access Policy Manager
CVE-2025-24312Same product: F5 Big-Ip Advanced Firewall Manager

Affected Assets

f5
big-ip access policy manager
15.1.0 — 15.1.10.6 · 16.1.0 — 16.1.5.2 · 17.1.0 — 17.1.2.1
f5
big-ip advanced firewall manager
15.1.0 — 15.1.10.6 · 16.1.0 — 16.1.5.2 · 17.1.0 — 17.1.2.1
f5
big-ip advanced web application firewall
15.1.0 — 15.1.10.6 · 16.1.0 — 16.1.5.2 · 17.1.0 — 17.1.2.1
f5
big-ip analytics
15.1.0 — 15.1.10.6 · 16.1.0 — 16.1.5.2 · 17.1.0 — 17.1.2.1
f5
big-ip application acceleration manager
15.1.0 — 15.1.10.6 · 16.1.0 — 16.1.5.2 · 17.1.0 — 17.1.2.1
f5
big-ip application security manager
15.1.0 — 15.1.10.6 · 16.1.0 — 16.1.5.2 · 17.1.0 — 17.1.2.1
f5
big-ip application visibility and reporting
15.1.0 — 15.1.10.6 · 16.1.0 — 16.1.5.2 · 17.1.0 — 17.1.2.1
f5
big-ip automation toolchain
15.1.0 — 15.1.10.6 · 16.1.0 — 16.1.5.2 · 17.1.0 — 17.1.2.1
f5
big-ip carrier-grade nat
15.1.0 — 15.1.10.6 · 16.1.0 — 16.1.5.2 · 17.1.0 — 17.1.2.1
f5
big-ip container ingress services
15.1.0 — 15.1.10.6 · 16.1.0 — 16.1.5.2 · 17.1.0 — 17.1.2.1
+11 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the command injection vulnerability by requiring timely identification, reporting, and patching of the specific flaw in iControl REST and tmsh save command as per the F5 advisory.

prevent

Prevents command injection (CWE-78) by enforcing input validation mechanisms at the iControl REST and tmsh interfaces to reject malformed or malicious inputs.

prevent

Limits the impact of arbitrary command execution by ensuring authenticated low-privilege users and affected processes operate with least privilege on the BIG-IP system.

References