CVE-2025-23239
Published: 05 February 2025
Summary
CVE-2025-23239 is a high-severity Command Injection (CWE-77) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the command injection vulnerability by requiring timely remediation through vendor patches as specified in the F5 security advisory.
Requires validation of inputs to the iControl REST endpoint, directly preventing command injection exploits (CWE-77).
Enforces least privilege to minimize accounts with the highly-privileged role required to authenticate and exploit the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote authenticated command injection in public-facing iControl REST endpoint directly enables exploitation of public-facing applications (T1190) and arbitrary command execution via Unix shell (T1059.004).
NVD Description
When running in Appliance mode, and logged into a highly-privileged role, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which…
more
have reached End of Technical Support (EoTS) are not evaluated.
Deeper analysisAI
CVE-2025-23239 is an authenticated remote command injection vulnerability (CWE-77) affecting an undisclosed iControl REST endpoint in F5 BIG-IP systems when running in Appliance mode. It requires the attacker to be logged in with a highly-privileged role. The vulnerability has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, required high privileges, no user interaction, changed scope, and high impacts to confidentiality and integrity.
An attacker with a highly-privileged account can exploit this remotely by sending malicious input to the vulnerable iControl REST endpoint, enabling command injection. Successful exploitation allows the attacker to cross a security boundary, potentially leading to unauthorized access, data exfiltration, or system modification within the affected F5 environment.
The F5 security advisory at https://my.f5.com/manage/s/article/K000138757 provides details on affected versions, patches, and mitigation steps. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated for fixes.
Details
- CWE(s)