Introduction
Privilege escalation on F5OS-A and F5OS-C can undermine the isolation and trust boundaries that enterprise and service provider networks depend on. CVE-2025-61955, disclosed in October 2025, allows authenticated attackers with local access to bypass Appliance mode and gain elevated privileges, directly impacting the security posture of organizations using F5's next-generation platforms.
About F5 Networks and F5OS: F5 Networks is a major vendor in the application delivery and network security space, with its BIG-IP and F5OS platforms deployed in thousands of enterprise and service provider environments worldwide. F5OS-A powers rSeries appliances, while F5OS-C is the foundation for VELOS chassis systems. These platforms are critical for high-performance, multi-tenant, and virtualized network services.
Technical Information
CVE-2025-61955 is a privilege escalation vulnerability in the F5OS-A and F5OS-C operating systems. The vulnerability allows an authenticated user with local access to escalate their privileges and cross security boundaries, including bypassing the restrictions imposed by Appliance mode.
- Root Cause: The vulnerability is classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, also known as eval injection). This occurs when user-supplied input is processed by code evaluation functions (such as
eval) without sufficient sanitization or validation. Attackers can inject malicious directives that are executed with elevated privileges. - Attack Vector: Local authenticated access is required. Attack complexity is low once access is obtained. The vulnerability is not remotely exploitable without prior credential compromise or local access.
- Scope: Successful exploitation allows attackers to cross security boundaries within F5OS, including Appliance mode, which is intended to restrict privileged operations.
- CVSS Details:
- CVSS v3.1 Base Score: 8.8 (High) for Appliance mode
- Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
No public code snippets, PoC, or exploit scripts are available as of this writing. The vulnerability is only present in supported versions; End of Technical Support (EoTS) versions are not evaluated by F5.
Affected Systems and Versions
- Products: F5OS-A (for rSeries appliances) and F5OS-C (for VELOS chassis)
- Version Information:
- The vulnerability is present in supported versions of F5OS-A and F5OS-C. Specific version numbers are not listed in the public advisory, but the October 2025 Quarterly Security Notification and F5 article K000156771 provide the authoritative list of affected and fixed versions.
- End of Technical Support (EoTS) versions are not evaluated and may or may not be vulnerable.
- Configuration:
- Both standard and Appliance mode configurations are affected. The CVSS score is higher for Appliance mode due to the security boundary bypass.
Vendor Security History
F5 Networks has disclosed several privilege escalation and Appliance mode bypass vulnerabilities in 2025, including CVE-2025-61955, CVE-2025-57780, and CVE-2025-61958. The company experienced a major breach by nation-state actors in 2025, resulting in the theft of source code and vulnerability data. F5 typically releases quarterly security notifications and has a history of timely patch releases, but the recent breach has prompted increased scrutiny and emergency directives from CISA for federal agencies.