Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

F5 BIG-IP Appliance Mode SCP/SFTP Restriction Bypass

IdentifiersCVE-2025-53868CWE-78· Improper Neutralization of Special…

CVE-2025-53868 affects F5 BIG-IP systems when running in Appliance mode, a configuration intended to prevent administrative users from accessing the root account and from executing arbitrary system commands on the underlying operating system. According to the provided content, a highly privileged authenticated attacker who has access to SCP and SFTP can bypass these Appliance mode restrictions by using undisclosed commands. The available reporting characterizes the issue as a security bypass that enables access beyond the intended Appliance mode boundary, and multiple sources in the content associate it with OS command execution on the underlying system. The supplied context also maps the issue to CWE-78, indicating improper neutralization of special elements used in an OS command, likely within SCP/SFTP-related command handling. Public technical details about the exact vulnerable function or command path are not available in the provided material.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a privileged authenticated attacker to defeat Appliance mode protections on an affected BIG-IP device and gain access to functionality on the underlying operating system that should be blocked in Appliance mode. Based on the provided content, this can enable execution of system-level commands outside intended administrative constraints, weakening a core hardening control on the appliance. In practical terms, this may permit installation of malicious software, persistence on the appliance OS, further privilege abuse, and use of the device as a pivot point for credential theft, lateral movement, or data exfiltration, especially if chained with other vulnerabilities or used after credential compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by strictly limiting which accounts have high privileges and by restricting or disabling SCP and SFTP access wherever operationally feasible on BIG-IP systems running in Appliance mode. Constrain management-plane access to trusted administrative networks only, ensure management interfaces are not internet-exposed, and monitor for anomalous SCP/SFTP activity or unexpected access to the underlying OS. Because exploitation requires authenticated privileged access, credential hygiene, MFA where applicable, segmentation, and rapid review of privileged account use materially reduce risk until fixes are applied.

Remediation

Patch, then assume compromise.

F5 has released fixes for supported BIG-IP versions. The provided content identifies fixed versions as 17.5.1, 17.1.3, 16.1.6.1, and 15.1.10.8. Affected supported versions listed in the content are 17.5.0, 17.1.0 through 17.1.2, 16.1.0 through 16.1.6, and 15.1.0 through 15.1.10. Organizations should upgrade to the appropriate fixed release or apply the vendor-provided engineering hotfix/remediation guidance from F5 advisory K000151902. Software versions that have reached End of Technical Support are not evaluated by F5 in the provided material and should be upgraded to supported releases.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
F5Big-Ip Access Policy Managerapplication
F5Big-Ip Advanced Firewall Managerapplication
F5Big-Ip Advanced Web Application Firewallapplication
F5Big-Ip Analyticsapplication
F5Big-Ip Application Acceleration Managerapplication
F5Big-Ip Application Security Managerapplication
F5Big-Ip Application Visibility And Reportingapplication
F5Big-Ip Automation Toolchainapplication
F5Big-Ip Carrier-Grade Natapplication
F5Big-Ip Container Ingress Servicesapplication
F5Big-Ip Ddos Hybrid Defenderapplication
F5Big-Ip Domain Name Systemapplication
F5Big-Ip Edge Gatewayapplication
F5Big-Ip Fraud Protection Serviceapplication
F5Big-Ip Global Traffic Managerapplication
F5Big-Ip Link Controllerapplication
F5Big-Ip Local Traffic Managerapplication
F5Big-Ip Policy Enforcement Managerapplication
F5Big-Ip Ssl Orchestratorapplication
F5Big-Ip Webacceleratorapplication
F5Big-Ip Websafeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
fortinet threat signalNews
Oct 17, 2025
F5 Data Breach Attack

A vulnerability in F5 BIG-IP products, details undisclosed, but considered critical due to the exposure of source code and risk of exploit acceleration.

Read more
flashpoint blogNews
Oct 17, 2025
Critical Vulnerability Exposure: Why the Stolen F5 Data Poses an Imminent Threat

A remote OS command execution vulnerability in F5 products, involving an unspecified appliance mode security bypass.

Read more
palo alto networks unit 42 blogNews
Oct 16, 2025
Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities

A BIG-IP vulnerability affecting SCP/SFTP that could significantly impact affected systems (CVSS 8.7).

Read more
labs beazley securityNews
Oct 15, 2025
F5 Source Code, Engineering Documentation and undisclosed vulnerabilities stolen by Nation State Threat Actors

An F5 BIG-IP vulnerability that allows an authenticated privileged attacker with SCP or SFTP access to bypass Appliance mode and access the underlying operating system, making it useful for privilege escalation and implant deployment chains.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-53868
NVD
nvd.nist.gov/vuln/detail/CVE-2025-53868
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
Vendor Advisory
my.f5.com/manage/s/article/K000151902