CVE-2025-31644: 
F5 BIG-IP Virtual Edition (tier - best) vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-31644) has been discovered in F5's BIG-IP systems operating in Appliance mode. The vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command, which affects systems running in Appliance mode. This command injection vulnerability was discovered and disclosed on May 7, 2025 (NVD).

The vulnerability is classified as a command injection vulnerability (CWE-77) affecting BIG-IP TMOS Shell and iControl REST interfaces when running in Appliance mode. It has received a CVSS v4.0 Base Score of 8.5 (HIGH) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L and CVSS v3.1 Base Score of 8.7 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N. The vulnerability specifically resides in the file parameter of the save command, which is used to store configuration files and is passed unsafely to underlying Perl scripts or system commands (SecurityOnline).

A successful exploitation of this vulnerability could allow an authenticated attacker with administrator privileges to execute arbitrary system commands and cross security boundaries. The vulnerability can be weaponized to manipulate system-level configurations, plant persistence mechanisms, or pivot to lateral movement in restricted environments. While this is not a data plane vulnerability, it represents a significant control plane compromise (SecurityOnline).

Software versions which have reached End of Technical Support (EoTS) are not evaluated. Users should ensure their systems are updated to the latest supported version and follow security best practices. Organizations running BIG-IP in Appliance mode should immediately apply the vendor patches for the affected versions (Wiz).