High

Privilege Escalation in F5 BIG-IP iControl REST and tmsh

IdentifiersCVE-2025-59481CWE-250· Execution with Unnecessary…

CVE-2025-59481 is a privilege escalation vulnerability in F5 BIG-IP affecting an undisclosed command exposed through the iControl REST management API and the BIG-IP TMOS Shell (tmsh). According to the provided content, an authenticated attacker with at least the Resource Administrator role can execute arbitrary system commands with higher privileges than intended, allowing the attacker to cross a security boundary. The issue is described as stemming from improper privilege separation and unnecessary or excessive privileges assigned to certain management commands. In practice, this undermines BIG-IP's role-based access control model by permitting a user with limited administrative rights to reach system-level command execution through management-plane functionality.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker to escalate privileges and execute arbitrary system commands at a higher privilege level on the BIG-IP system. The provided content indicates this can cross established security boundaries and may enable compromise of the underlying operating system, application traffic, cryptographic keys, and critical configuration data. Because the flaw affects management interfaces on infrastructure devices, compromise could materially affect device integrity and administrative trust boundaries.

Mitigation

If you can’t patch tonight, do this now.

Restrict access to BIG-IP management interfaces, especially iControl REST, to trusted administrative networks only, and do not expose management interfaces to the public internet. Limit assignment of Resource Administrator and similar privileged roles to only those accounts that require them, enforce strong authentication and credential hygiene, and monitor use of iControl REST and tmsh for anomalous command execution or privilege escalation behavior. Where immediate patching is not possible, segment affected appliances and increase logging and threat hunting around management-plane access.

Remediation

Patch, then assume compromise.

Apply the vendor-provided fixes in the supported F5 BIG-IP versions identified in F5 advisory K000156642 and the October 2025 quarterly security guidance. The content states that End of Technical Support versions were not evaluated, so affected organizations should upgrade unsupported deployments to supported releases before applying the relevant fixed version or engineering hotfix. Follow F5's product-specific upgrade guidance for the affected BIG-IP branch.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

F5Big-Ip Access Policy Managerapplication

F5Big-Ip Advanced Firewall Managerapplication

F5Big-Ip Advanced Web Application Firewallapplication

F5Big-Ip Analyticsapplication

F5Big-Ip Application Acceleration Managerapplication

F5Big-Ip Application Security Managerapplication

F5Big-Ip Application Visibility And Reportingapplication

F5Big-Ip Automation Toolchainapplication

F5Big-Ip Carrier-Grade Natapplication

F5Big-Ip Container Ingress Servicesapplication

F5Big-Ip Ddos Hybrid Defenderapplication

F5Big-Ip Domain Name Systemapplication

F5Big-Ip Edge Gatewayapplication

F5Big-Ip Fraud Protection Serviceapplication

F5Big-Ip Global Traffic Managerapplication

F5Big-Ip Link Controllerapplication

F5Big-Ip Local Traffic Managerapplication

F5Big-Ip Policy Enforcement Managerapplication

F5Big-Ip Ssl Orchestratorapplication

F5Big-Ip Webacceleratorapplication

F5Big-Ip Websafeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

cyberscoopNews

Nov 10, 2025

What’s left to worry (and not worry) about in the F5 breach aftermath

A high-severity vulnerability in F5 BIG-IP, requiring authentication for exploitation. Not currently known to be exploited in the wild.

flashpoint blogNews

Oct 17, 2025

Critical Vulnerability Exposure: Why the Stolen F5 Data Poses an Imminent Threat

A privilege escalation vulnerability in F5 BIG-IP products, involving iControl REST and TMOS Shell, allowing security bypass and unnecessary privilege execution in appliance mode.

labs beazley securityNews

Oct 15, 2025

F5 Source Code, Engineering Documentation and undisclosed vulnerabilities stolen by Nation State Threat Actors

An F5 BIG-IP privilege escalation vulnerability allowing an authenticated resource administrator with REST API or tmsh access to execute system-level commands.

zeropath blogNews

Oct 15, 2025

F5 BIG-IP CVE-2025-59481 Privilege Escalation: Brief Summary and Technical Review - ZeroPath Blog | ZeroPath

A privilege escalation vulnerability in F5 BIG-IP iControl REST API and TMOS Shell (tmsh) that allows authenticated attackers with resource administrator privileges to execute arbitrary system commands with elevated privileges.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-59481

NVD

nvd.nist.gov/vuln/detail/CVE-2025-59481

MITRE CWE · CWE-250

Execution with Unnecessary Privileges

Vendor Advisory

my.f5.com/manage/s/article/K000156642