CVE-2025-59481
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-10-15
Last updated on: 2026-02-04
Assigner: F5 Networks
Description
Description
A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with at least resource administrator role to execute arbitrary system commands with higher privileges.Β A successful exploit can allow the attacker to cross a security boundary.Β Β Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| f5 | big-ip_advanced_firewall_manager | From 16.1.0 (inc) to 16.1.5.2.0.7.5 (inc) |
| f5 | big-ip_access_policy_manager | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_advanced_web_application_firewall | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_analytics | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_application_acceleration_manager | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_application_security_manager | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_application_visibility_and_reporting | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_automation_toolchain | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_carrier-grade_nat | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_container_ingress_services | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_ddos_hybrid_defender | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_domain_name_system | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_edge_gateway | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_fraud_protection_service | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_global_traffic_manager | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_link_controller | From 15.1.0 (inc) to 15.1.1.0.8 (exc) |
| f5 | big-ip_local_traffic_manager | From 15.1.0 (inc) to 15.1.1.0.8 (exc) |
| f5 | big-ip_policy_enforcement_manager | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_ssl_orchestrator | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_webaccelerator | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_websafe | From 15.1.0 (inc) to 15.1.10.8 (exc) |
| f5 | big-ip_access_policy_manager | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_advanced_web_application_firewall | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_analytics | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_application_acceleration_manager | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_application_security_manager | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_application_visibility_and_reporting | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_automation_toolchain | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_carrier-grade_nat | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_container_ingress_services | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_ddos_hybrid_defender | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_domain_name_system | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_edge_gateway | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_fraud_protection_service | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_global_traffic_manager | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_link_controller | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_local_traffic_manager | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_policy_enforcement_manager | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_ssl_orchestrator | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_webaccelerator | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_websafe | From 16.1.0 (inc) to 16.1.6.1 (exc) |
| f5 | big-ip_access_policy_manager | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_access_policy_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_advanced_firewall_manager | From 16.1.0 (inc) to 16.1.5.2.0.7.5 (inc) |
| f5 | big-ip_advanced_web_application_firewall | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_advanced_web_application_firewall | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_analytics | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_analytics | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_application_acceleration_manager | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_application_acceleration_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_application_security_manager | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_application_security_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_application_visibility_and_reporting | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_application_visibility_and_reporting | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_automation_toolchain | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_automation_toolchain | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_carrier-grade_nat | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_carrier-grade_nat | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_container_ingress_services | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_container_ingress_services | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_ddos_hybrid_defender | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_ddos_hybrid_defender | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_domain_name_system | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_domain_name_system | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_edge_gateway | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_edge_gateway | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_fraud_protection_service | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_fraud_protection_service | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_global_traffic_manager | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_link_controller | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_link_controller | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_local_traffic_manager | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_local_traffic_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_policy_enforcement_manager | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_policy_enforcement_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_ssl_orchestrator | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_ssl_orchestrator | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_webaccelerator | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_webaccelerator | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_websafe | From 17.1.0 (inc) to 17.1.3 (exc) |
| f5 | big-ip_websafe | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_advanced_firewall_manager | From 16.1.0 (inc) to 16.1.5.2.0.7.5 (inc) |
| f5 | big-ip_advanced_firewall_manager | From 16.1.0 (inc) to 16.1.5.2.0.7.5 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-noinfo | |
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that allows an authenticated attacker with at least resource administrator privileges to execute arbitrary system commands with higher privileges. This means the attacker can perform actions beyond their normal permissions, potentially crossing security boundaries within the system.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with resource administrator access to execute arbitrary system commands with elevated privileges, potentially leading to unauthorized control over the system, data exposure, or disruption of services by crossing security boundaries.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70