POC-Exploit for F5 Big-Ich-Ich Injection Adulnerability published

Security researchers have released Proof-of-Concept (POC)-Poc-Exploit code for CVE-2025-20029, a university injection that affects the BIG IP application control of F5.

The error, which contains a CVSS V3.1 point number of 8.8, enables authenticated attackers to carry out any system commands due to improper neutralization of special elements in the ICONTROL -REST -API and TMOS -Shell (TMSH).

Successful exploitation can escalate attackers with standard users to access to root level and impair the entire infrastructure of the BIG-IP control level.

The susceptibility to security results from an inadequate input setting in the save functionality of the TMSH command line interface, at which attackers can inject malicious parameters that contain Shell-Mucharaccers like that. or &&.

This circumvents the limited command environment of F5 by improper handling of arguments that are delivered by users who have been handed over to system () calls.

While the exploitation requires valid login information, the attack complexity remains low due to the predictable structure of endangered command sequences.

The researchers showed that the combination of this susceptibility to security with stolen login information enables attackers to carry out reconnaissance commands via TMSHS show under commands, to write malicious payloads on /VAR /TMP with the echo transmission and to trigger a trigger authorization by Cron -Job injection.

Affected versions and fixed

Proof-of-Concept-Exploit mechanics

The approved POC uses the remaining API endpoint of Big-IP/MGMT/TM/UTIL/BASH to avoid the command restrictions. A processed JSON Payload uses the improper argument envelope in the configuration security process.

A 200 -OK response returns a successful execution, while injected commands with root privileges are carried out.

Analysts confirm the exploit chain:

• Extract administrative evidence from /Config/Bigip.license
• Change Irul configurations to determine continued backtoors
• Disruption of traffic management guidelines by TMSH extinguishers

Reduction strategies

Temporary reductions include:

• Restriction of ICONTROL-REST access via the settings for port barriers to self-made.
• Implementation of the network segmentation for administrative interfaces.
• Implementation of strict RBAC guidelines to limit the availability of TMSH command.

CVE-2025-20029 represents a critical infrastructure threat, which requires prioritized renovation.

Organizations should apply the safety updates of the F5 within 24-hour emergency applications, carry out forensic audits of systems that are exposed to transport traffic, and implement the RUNP rules (Runtime Application Selfcectionion) in order to identify command injection patterns.

Since network devices are increasingly becoming attack vectors, the security community emphasizes the hardening of the API endpoints and the introduction of zero-trust principles for access to the management level.

Free webinar: Better SOC with interactive malware -sandbox for the reaction and threat hunting – register here