Introduction
Privilege escalation in a network's core load balancer can lead to full compromise of application traffic, cryptographic keys, and critical configuration data. CVE-2025-59481 is a recently disclosed vulnerability in F5 BIG-IP systems that allows authenticated attackers with resource administrator privileges to execute arbitrary system commands with elevated privileges, crossing established security boundaries. This flaw is particularly severe in appliance mode, where exploitation requires only network access to the iControl REST endpoint.
About F5 Networks and BIG-IP F5 Networks is a dominant force in the application delivery controller and load balancing market. Their BIG-IP product line is widely used in enterprise, government, and service provider networks for traffic management, security, and access control. BIG-IP's critical role in infrastructure makes vulnerabilities in its management interfaces especially impactful.
Technical Information
CVE-2025-59481 is a privilege escalation vulnerability in F5 BIG-IP's iControl REST API and TMOS Shell (tmsh). The issue arises from an undisclosed command in these management interfaces that fails to enforce proper privilege separation. An authenticated attacker with at least resource administrator role can exploit this flaw to execute arbitrary system commands with higher privileges than intended.
Key points:
- The vulnerability is classified as CWE-250 (Execution with Unnecessary Privileges).
- In standard mode, exploitation requires both network access to the iControl REST endpoint and local access to the BIG-IP system.
- In appliance mode, only network access to the iControl REST endpoint is required, increasing the risk and CVSS score.
- The flaw allows crossing of privilege boundaries, undermining the role-based access control model in BIG-IP.
No public code snippets or proof of concept are available for this vulnerability. The root cause is excessive privileges granted to certain commands in the management interfaces, breaking the principle of least privilege.
Affected Systems and Versions
- Affects F5 BIG-IP systems with iControl REST and tmsh components
- Vulnerable in both standard and appliance mode
- Only supported versions are evaluated; versions that have reached End of Technical Support (EoTS) are not evaluated
- For specific fixed versions, refer to F5 advisory K000156642 (link)
Vendor Security History
F5 has a history of management plane vulnerabilities in BIG-IP products:
- CVE-2020-5902: Remote code execution in TMUI, saw rapid exploitation
- CVE-2022-1388: iControl REST authentication bypass and remote code execution
- CVE-2025-23239: Appliance mode bypass via iControl REST
- CVE-2025-20029: Command injection in tmsh save command
F5 now releases quarterly security notifications and provides detailed advisories and patch information. Despite improvements, recurring privilege escalation and command execution flaws indicate ongoing architectural challenges in management interface security.