High

Privilege Escalation in F5OS-A and F5OS-C

IdentifiersCVE-2025-61955CWE-95· Improper Neutralization of…

CVE-2025-61955 is a high-severity privilege escalation vulnerability affecting F5OS-A and F5OS-C, the operating systems used by F5 rSeries appliances and VELOS chassis systems. According to the provided content, the flaw may allow an authenticated attacker with local access to escalate privileges and bypass Appliance mode restrictions, enabling the attacker to cross a security boundary. The supporting content attributes the issue to CWE-95, indicating improper neutralization of directives in dynamically evaluated code (eval injection), where insufficient sanitization or validation of user-supplied input can permit execution of malicious directives with elevated privileges.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an authenticated local attacker to gain elevated privileges on the affected F5OS system and bypass Appliance mode security restrictions. Because the flaw can cross a security boundary, impact can extend beyond ordinary privilege escalation to access to protected functionality or the underlying operating environment, with potential compromise of confidentiality, integrity, and availability. The provided content cites CVSS v3.1 scores up to 8.8 in Appliance mode and notes high impact across C, I, and A.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict local access to trusted authenticated administrators only, minimize the number of accounts with local access, and tightly control access paths to the F5OS host. Because exploitation requires authenticated local access, hardening administrative access, enforcing least privilege, and monitoring for suspicious local activity can reduce exposure. The content also supports ensuring management interfaces are not unnecessarily exposed and segmenting appliance management access where possible, although the primary mitigation is vendor patching.

Remediation

Patch, then assume compromise.

Apply the vendor-provided fixes from F5 for affected supported versions of F5OS-A and F5OS-C. The content identifies F5 advisory K000156771 and the October 2025 Quarterly Security Notification as the authoritative sources for affected and fixed versions. Provided version data indicates fixed releases include F5OS-A 1.8.3 and 1.5.4, and F5OS-C 1.8.2 and 1.6.4. Systems running supported affected versions should be upgraded to the corresponding fixed release as soon as operationally feasible. End of Technical Support versions were not evaluated.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

F5F5os-Aoperating_system

F5F5os-Coperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

fortinet threat signalNews

Oct 17, 2025

F5 Data Breach Attack

A vulnerability in F5 BIG-IP products, details undisclosed, but considered critical due to the exposure of source code and risk of exploit acceleration.

palo alto networks unit 42 blogNews

Oct 16, 2025

Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities

An F5OS vulnerability (appliance mode) that could enable major compromise of F5OS-A and F5OS-C systems (CVSS up to 8.8).

cvefeed high severityNews

Oct 15, 2025

CVE-2025-61955 - F5OS vulnerability

A privilege escalation vulnerability in F5OS-A and F5OS-C systems that allows an authenticated local attacker to escalate privileges and cross security boundaries. The vulnerability is due to improper neutralization of directives in dynamically evaluated code (Eval Injection).

labs beazley securityNews

Oct 15, 2025

F5 Source Code, Engineering Documentation and undisclosed vulnerabilities stolen by Nation State Threat Actors

An F5OS-A/C privilege escalation vulnerability allowing an authenticated attacker to escalate privileges.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-61955

NVD

nvd.nist.gov/vuln/detail/CVE-2025-61955

MITRE CWE · CWE-95

Improper Neutralization of Directives in…

Vendor Advisory

my.f5.com/manage/s/article/K000156771