CVE-2025-23239: 
F5 BIG-IP Advanced Firewall Manager vulnerability analysis and mitigation

CVE-2025-23239 is an authenticated remote command injection vulnerability discovered in an undisclosed iControl REST endpoint when running in Appliance mode. The vulnerability was disclosed on February 5, 2025, affecting BIG-IP systems running in Appliance mode. This security issue allows authenticated attackers with administrator or resource administrator privileges to execute arbitrary system commands and potentially cross security boundaries (F5 Advisory).

The vulnerability has been classified as CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'). It received a CVSS v3.1 base score of 8.7 (High) and a CVSS v4.0 score of 8.5 (High). The vulnerability specifically affects the control plane, with no data plane exposure. It allows authenticated users with administrator or resource administrator role privileges and network access to iControl REST through the BIG-IP management port or self IP addresses to execute arbitrary Advanced Shell (bash) commands (F5 Advisory, NVD).

The vulnerability enables authenticated attackers with administrator or resource administrator privileges to bypass Appliance mode security on BIG-IP systems. This allows the execution of arbitrary system commands and the ability to create or delete files. The vulnerability specifically affects systems running in Appliance mode, which is enforced by a specific license or may be enabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances (F5 Advisory).

F5 has released fixes for affected versions in the 17.x branch, specifically versions 17.1.1 and 17.1.2. For temporary mitigation, administrators can block iControl REST access through self IP addresses by changing Port Lockdown settings to 'Allow None' or restrict management access to only trusted users and devices over a secure network. Additionally, packet filtering can be implemented to restrict access to specific IP ranges (F5 Advisory).