Introduction - Real Impact and Significance
Attackers with resource administrator credentials on F5 BIG-IP can cross the Appliance mode security boundary and gain bash shell access, undermining a core defense relied on by critical infrastructure operators. This issue directly impacts organizations that use BIG-IP to enforce strict administrative separation and compliance requirements.
F5 Networks is a leading provider of application delivery controllers and security appliances, with its BIG-IP platform deployed in financial services, government, healthcare, and large enterprises worldwide. The BIG-IP product line is central to global application delivery and security, making vulnerabilities in its core management interfaces highly consequential for the broader tech ecosystem.
Technical Information
CVE-2025-61958 is a privilege escalation vulnerability in the iHealth command of the tmsh (Traffic Management Operating System Shell) utility on F5 BIG-IP systems. The vulnerability allows an authenticated attacker with at least the resource administrator role to bypass tmsh command restrictions and obtain a bash shell. This is particularly critical for BIG-IP systems running in Appliance mode, which is specifically designed to prevent direct shell access and enforce a strict security boundary between administrative users and the underlying operating system.
The root cause is improper input validation or command injection in the iHealth utility, which processes diagnostic commands and generates qkview files for system health analysis. If an attacker crafts specific input to the iHealth command, tmsh fails to properly sanitize the input, enabling the attacker to escape the restricted shell and execute arbitrary bash commands. This violates the intended privilege separation and allows escalation to full system-level access. The vulnerability is classified under CWE-250 (Execution with Unnecessary Privileges).
No public code snippets or proof of concept are available for this vulnerability. The technical mechanism is similar to other recent tmsh command injection issues in F5 products, but no exploit details have been published by F5 or external researchers.
Affected Systems and Versions
CVE-2025-61958 affects F5 BIG-IP systems where the iHealth command is available via tmsh. The vulnerability is most severe on systems running in Appliance mode, which is intended to restrict administrative access to the tmsh environment only. The advisory does not specify exact version numbers or ranges, but notes that only supported versions are evaluated. Software versions that have reached End of Technical Support (EoTS) are not evaluated and may also be vulnerable.
Vendor Security History
F5 Networks has a history of critical vulnerabilities in its BIG-IP product line, including:
- CVE-2020-5902: Remote code execution in the Traffic Management User Interface (TMUI), widely exploited in 2020.
- CVE-2023-46747: Command injection in TMUI, exploited by advanced persistent threat actors.
- CVE-2025-20029: Command injection in tmsh, with public proof of concept code.
F5 typically issues quarterly advisories and provides detailed mitigation guidance. However, recurring privilege escalation and command injection flaws in tmsh and related management components indicate ongoing challenges in secure software development and input validation.