Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

F5 BIG-IP tmsh iHealth command restriction bypass to bash shell

IdentifiersCVE-2025-61958CWE-250· Execution with Unnecessary…

CVE-2025-61958 is a privilege-escalation vulnerability in the iHealth command within the TMOS Shell (tmsh) on F5 BIG-IP systems. According to F5, an authenticated attacker with at least the Resource Administrator role can bypass tmsh restrictions and gain access to the Advanced Shell (bash). On systems running in Appliance mode, successful exploitation crosses the intended security boundary that is meant to prevent direct shell access to the underlying operating system. The provided context attributes the issue to improper sanitization or validation in the iHealth utility when processing diagnostic functionality, enabling escape from the restricted tmsh environment into bash.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated user with sufficient privileges to escape the restricted tmsh environment and obtain bash access on the BIG-IP system. This results in privilege escalation and access to the underlying operating system. In Appliance mode, the impact is more severe because the vulnerability defeats Appliance mode protections and crosses a security boundary intended to isolate administrative users from direct OS-level access.

Mitigation

If you can’t patch tonight, do this now.

F5 states there is no viable mitigation that preserves normal user access because exploitation is performed by a legitimate authenticated user. The only complete mitigation is to remove access for users who are not fully trusted. As temporary risk reduction measures until patching, restrict SSH access to tmsh to trusted networks or devices only, set self IP Port Lockdown to Allow None or use Allow Custom while blocking TCP/22, optionally apply packet filtering to limit SSH exposure to specific CIDR ranges, and restrict management interface access to trusted users and devices over a secured network using firewall rules.

Remediation

Patch, then assume compromise.

Install a fixed BIG-IP release from F5. The advisory context lists fixed versions as BIG-IP 17.5.1.1 for 17.5.x, 17.1.3 for 17.1.x, 16.1.6.1 for 16.x, and 15.1.10.8 for 15.x. If no fix is available for the deployed branch, upgrade to a branch/version that includes the fix. Use F5 advisory K000154647 as the authoritative source for affected and fixed versions.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
F5Big-Ip Access Policy Managerapplication
F5Big-Ip Advanced Firewall Managerapplication
F5Big-Ip Advanced Web Application Firewallapplication
F5Big-Ip Analyticsapplication
F5Big-Ip Application Acceleration Managerapplication
F5Big-Ip Application Security Managerapplication
F5Big-Ip Application Visibility And Reportingapplication
F5Big-Ip Automation Toolchainapplication
F5Big-Ip Carrier-Grade Natapplication
F5Big-Ip Container Ingress Servicesapplication
F5Big-Ip Ddos Hybrid Defenderapplication
F5Big-Ip Domain Name Systemapplication
F5Big-Ip Edge Gatewayapplication
F5Big-Ip Fraud Protection Serviceapplication
F5Big-Ip Global Traffic Managerapplication
F5Big-Ip Link Controllerapplication
F5Big-Ip Local Traffic Managerapplication
F5Big-Ip Policy Enforcement Managerapplication
F5Big-Ip Ssl Orchestratorapplication
F5Big-Ip Webacceleratorapplication
F5Big-Ip Websafeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
cyberscoopNews
Nov 10, 2025
What’s left to worry (and not worry) about in the F5 breach aftermath

A high-severity vulnerability in F5 BIG-IP, requiring authentication for exploitation. Not currently known to be exploited in the wild.

Read more
flashpoint blogNews
Oct 17, 2025
Critical Vulnerability Exposure: Why the Stolen F5 Data Poses an Imminent Threat

A vulnerability in F5 products allowing remote shell access by bypassing TMSH restrictions via unspecified iHealth command flaws.

Read more
cvefeed high severityNews
Oct 15, 2025
CVE-2025-61958 - BIG-IP TMSH vulnerability

A privilege escalation vulnerability in F5 BIG-IP's iHealth command allows authenticated attackers with resource administrator privileges to bypass TMSH restrictions and gain unauthorized bash shell access, potentially crossing security boundaries in Appliance mode.

Read more
labs beazley securityNews
Oct 15, 2025
F5 Source Code, Engineering Documentation and undisclosed vulnerabilities stolen by Nation State Threat Actors

An F5 BIG-IP vulnerability that lets an authenticated resource administrator escape tmsh into bash, cross a security boundary, and gain underlying OS access.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-61958
NVD
nvd.nist.gov/vuln/detail/CVE-2025-61958
MITRE CWE · CWE-250
Execution with Unnecessary Privileges
Vendor Advisory
my.f5.com/manage/s/article/K000154647