cvelistv5 - cve-2025-53521

CVE-2025-53521 (GCVE-0-2025-53521)

Vulnerability from cvelistv5

Published

2025-10-15 13:55

Modified

2026-03-31 16:04

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-121 - Stack-based Buffer Overflow

Summary

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References

URL

Tags

https://my.f5.com/manage/s/article/K000156741

vendor-advisory

Impacted products

	Vendor	Product	Version
	F5	BIG-IP	Version: 17.5.0 < 17.5.1.3 Version: 17.1.0 < 17.1.3 Version: 16.1.0 < 16.1.6.1 Version: 15.1.0 < 15.1.10.8

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

Date added: 2026-03-27

Due date: 2026-03-30

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Used in ransomware: Unknown

Notes: Please adhere to F5’s guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible F5 products affected by this vulnerability. For more information please see: https://my.f5.com/manage/s/article/K000156741 ; https://my.f5.com/manage/s/article/K000160486 ; https://my.f5.com/manage/s/article/K11438344 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53521

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53521",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-28T03:55:47.100165Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-03-27",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-29T13:56:45.917Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "APM"
          ],
          "product": "BIG-IP",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "17.5.1.3",
              "status": "affected",
              "version": "17.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "17.1.3",
              "status": "affected",
              "version": "17.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "16.1.6.1",
              "status": "affected",
              "version": "16.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "15.1.10.8",
              "status": "affected",
              "version": "15.1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "F5 would like to thank Kristian Vlaardingerbroek, Hugo Trippaers, and other people of Schuberg Philis; Bart Vrancken; Fox-IT; and the National Cyber Security Centre (NCSC) in the Netherlands for their assistance in investigating this issue and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2025-10-15T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).\u003c/span\u003e\u0026nbsp;\u0026nbsp;\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\u003c/span\u003e"
            }
          ],
          "value": "When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T16:04:27.360Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000156741"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "BigIP APM Vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2025-53521",
    "datePublished": "2025-10-15T13:55:52.694Z",
    "dateReserved": "2025-10-03T23:04:38.083Z",
    "dateUpdated": "2026-03-31T16:04:27.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2025-53521",
      "cwes": "[\"CWE-121\"]",
      "dateAdded": "2026-03-27",
      "dueDate": "2026-03-30",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "Please adhere to F5\u2019s guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible F5 products affected by this vulnerability. For more information please see: https://my.f5.com/manage/s/article/K000156741 ; https://my.f5.com/manage/s/article/K000160486 ; https://my.f5.com/manage/s/article/K11438344 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53521",
      "product": "BIG-IP",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution.",
      "vendorProject": "F5",
      "vulnerabilityName": "F5 BIG-IP Stack-Based Buffer Overflow Vulnerability"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53521\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-28T03:55:47.100165Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2026-03-27\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521\"}}}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-15T15:32:22.317Z\"}}], \"cna\": {\"title\": \"BigIP APM Vulnerability\", \"source\": {\"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"F5\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"F5\", \"modules\": [\"APM\"], \"product\": \"BIG-IP\", \"versions\": [{\"status\": \"affected\", \"version\": \"17.5.0\", \"lessThan\": \"17.5.1.3\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"17.1.0\", \"lessThan\": \"17.1.3\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"16.1.0\", \"lessThan\": \"16.1.6.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"15.1.0\", \"lessThan\": \"15.1.10.8\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2025-10-15T14:00:00.000Z\", \"references\": [{\"url\": \"https://my.f5.com/manage/s/article/K000156741\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"F5 SIRTBot v1.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).\\u00a0\\u00a0\\n\\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eWhen a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE).\u003c/span\u003e\u0026nbsp;\u0026nbsp;\\n\\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\\n\\n\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab\", \"shortName\": \"f5\", \"dateUpdated\": \"2026-03-27T17:54:37.332Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53521\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-29T13:56:45.917Z\", \"dateReserved\": \"2025-10-03T23:04:38.083Z\", \"assignerOrgId\": \"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab\", \"datePublished\": \"2025-10-15T13:55:52.694Z\", \"assignerShortName\": \"f5\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-ALE-004

Vulnerability from certfr_alerte

Le 15 octobre 2025, F5 a publié un avis de sécurité concernant entre autres la vulnérabilité CVE-2025-53521. Celle-ci affecte BIG-IP APM et permet à un attaquant non authentifié d'exécuter du code à distance.
Le 29 mars 2026, l'éditeur indique que cette vulnérabilité est exploitée activement.

Le CERT-FR recommande d'effectuer une recherche de compromission en s'appuyant sur les éléments documentés par F5 dans son billet de blogue [1] :

1 - Indicateurs de compromission dans le système de fichiers :

la présence des fichiers /run/bigtlog.pipe ou /run/bigstart.ltm ;
des condensats des fichiers /usr/bin/umount et /usr/sbin/httpd différents de ceux des versions légitimes ;
des tailles de fichiers ou date de création des fichiers /usr/bin/umount et /usr/sbin/httpd différentes de celles des versions légitimes.

2 - Indicateurs de compromission dans les journaux :

dans les fichiers /var/log/restjavad-audit.<NUMBER>.log, vérifier la présence d'entrées de la forme suivante, indiquant une requête iControl via API REST par un utilisateur local :

[ForwarderPassThroughWorker{"user":"local/f5hubblelcdadmin","method":"POST","uri":"http://localhost:8100/mgmt/tm/util/bash","status":200,"from":"Unknown"}

dans les fichiers /var/log/auditd/audit.log.<NUMBER>, vérifier la présence d'entrées de la forme suivante, indiquant des tentatives de désactivation du système SELinux lors d'une requête iControl via API REST :

msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

dans le fichier /var/log/audit, vérifier la présence d'entrées de la forme suivante :

user=f5hubblelcdadmin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash <VARIABLE_COMMAND>

3 - Indicateurs de compromission lors d'exécutions de commandes de contrôle :

exécution de sys‑eicheck : il s'agit d'un vérificateur d’intégrité du système, composant logiciel installé sur les appliances BIG‑IP. Il s’appuie sur la fonctionnalité de vérification d’intégrité des paquets RPM et confronte les exécutables présents sur le disque aux empreintes (condensats) stockées dans la base de données RPM. Lorsqu’une différence est constatée, le système alerte les utilisateurs.

/usr/bin/umount

/usr/sbin/httpd

exécution de lsof -n : le système est compromis si la présence de /run/bigtlog.pipe est avérée.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
F5	BIG-IP	BIG-IP Access Policy Manager (tous les modules) versions 17.1.x antérieures à 17.1.3
F5	BIG-IP	BIG-IP Access Policy Manager (tous les modules) versions 15.1.x antérieures à 15.1.10.8
F5	BIG-IP	BIG-IP Access Policy Manager (tous les modules) versions 17.5.x antérieures à 17.5.1.3
F5	BIG-IP	BIG-IP Access Policy Manager (tous les modules) versions 16.1.x antérieures à 16.1.6.1

References

Title

Publication Time

Tags

Bulletin de sécurité F5 K000156741	2025-10-15	vendor-advisory
Considérations et conseils à suivre si vous soupçonnez une faille de sécurité sur un système BIG-IP	-	other
[1] Marqueur de compromission pour c05d5254	-	other
Avis CERT-FR CERTFR-2025-AVI-0886 du 16 octobre 2025	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "BIG-IP Access Policy Manager (tous les modules) versions 17.1.x ant\u00e9rieures \u00e0 17.1.3",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Access Policy Manager (tous les modules) versions 15.1.x ant\u00e9rieures \u00e0 15.1.10.8",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Access Policy Manager (tous les modules) versions 17.5.x ant\u00e9rieures \u00e0 17.5.1.3",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Access Policy Manager (tous les modules) versions 16.1.x ant\u00e9rieures \u00e0 16.1.6.1",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "closed_at": null,
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-53521",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53521"
    }
  ],
  "initial_release_date": "2026-03-31T00:00:00",
  "last_revision_date": "2026-03-31T00:00:00",
  "links": [
    {
      "title": "Consid\u00e9rations et conseils \u00e0 suivre si vous soup\u00e7onnez une faille de s\u00e9curit\u00e9 sur un syst\u00e8me BIG-IP",
      "url": "https://my.f5.com/manage/s/article/K11438344"
    },
    {
      "title": "[1] Marqueur de compromission pour c05d5254",
      "url": "https://my.f5.com/manage/s/article/K000160486"
    },
    {
      "title": "Avis CERT-FR CERTFR-2025-AVI-0886 du 16 octobre 2025",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-0886/"
    }
  ],
  "reference": "CERTFR-2026-ALE-004",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-03-31T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Le 15 octobre 2025, F5 a publi\u00e9 un avis de s\u00e9curit\u00e9 concernant entre autres la vuln\u00e9rabilit\u00e9 CVE-2025-53521. Celle-ci affecte BIG-IP APM et permet \u00e0 un attaquant non authentifi\u00e9  d\u0027ex\u00e9cuter du code \u00e0 distance.\u003cbr\u003e\nLe 29 mars 2026, l\u0027\u00e9diteur indique que cette vuln\u00e9rabilit\u00e9 est exploit\u00e9e activement.\n\nLe CERT-FR recommande d\u0027effectuer une recherche de compromission en s\u0027appuyant sur les \u00e9l\u00e9ments document\u00e9s par F5 dans son billet de blogue [1] :\n\n1 - Indicateurs de compromission dans le syst\u00e8me de fichiers :\n\u003cul\u003e\n\u003cli\u003ela pr\u00e9sence des fichiers \u003ccode\u003e/run/bigtlog.pipe\u003c/code\u003e ou \u003ccode\u003e/run/bigstart.ltm\u003c/code\u003e ;\u003c/li\u003e\n\u003cli\u003edes condensats des fichiers  \u003ccode\u003e/usr/bin/umount\u003c/code\u003e et \u003ccode\u003e/usr/sbin/httpd\u003c/code\u003e diff\u00e9rents de ceux des versions l\u00e9gitimes ;\u003c/li\u003e\n\u003cli\u003edes tailles de fichiers ou date de cr\u00e9ation des fichiers \u003ccode\u003e/usr/bin/umount\u003c/code\u003e et \u003ccode\u003e/usr/sbin/httpd\u003c/code\u003e diff\u00e9rentes de celles des versions l\u00e9gitimes.\u003c/li\u003e\n\u003c/ul\u003e\n2 - Indicateurs de compromission dans les journaux :\n\u003cul\u003e\n\u003cli\u003edans les fichiers \u003ccode\u003e/var/log/restjavad-audit.\u0026lt;NUMBER\u0026gt;.log\u003c/code\u003e, v\u00e9rifier la pr\u00e9sence d\u0027entr\u00e9es de la forme suivante, indiquant une requ\u00eate iControl via API REST par un utilisateur local :\u003c/li\u003e\n\u003cpre\u003e\n[ForwarderPassThroughWorker{\"user\":\"local/f5hubblelcdadmin\",\"method\":\"POST\",\"uri\":\"http://localhost:8100/mgmt/tm/util/bash\",\"status\":200,\"from\":\"Unknown\"}\n\u003c/pre\u003e\n\u003cli\u003edans les fichiers \u003ccode\u003e/var/log/auditd/audit.log.\u0026lt;NUMBER\u0026gt;\u003c/code\u003e, v\u00e9rifier la pr\u00e9sence d\u0027entr\u00e9es de la forme suivante, indiquant des tentatives de d\u00e9sactivation du syst\u00e8me SELinux lors d\u0027une requ\u00eate iControl via API REST :\u003c/li\u003e\n\u003cpre\u003e\nmsg=\u0027avc: received setenforce notice (enforcing=0) exe=\"/usr/lib/systemd/systemd\" sauid=0 hostname=? addr=? terminal=?\u0027\n\u003c/pre\u003e\n\u003cli\u003edans le fichier \u003ccode\u003e/var/log/audit\u003c/code\u003e, v\u00e9rifier la pr\u00e9sence d\u0027entr\u00e9es de la forme suivante :\u003c/li\u003e\n\u003cpre\u003e\nuser=f5hubblelcdadmin folder=/Common module=(tmos)# status=[Command OK] cmd_data=run util bash \u0026lt;VARIABLE_COMMAND\u0026gt;\n\u003c/pre\u003e\nCette entr\u00e9e illustre un exemple de commande ex\u00e9cut\u00e9e et consign\u00e9e dans le journal d\u2019audit, corr\u00e9l\u00e9e \u00e0 la requ\u00eate iControl\u202fREST mentionn\u00e9e ci\u2011dessus.\n\u003c/ul\u003e\n\n3 - Indicateurs de compromission lors d\u0027ex\u00e9cutions de commandes de contr\u00f4le :\n\u003cul\u003e\n\u003cli\u003eex\u00e9cution de \u003ccode\u003esys\u2011eicheck\u003c/code\u003e : il s\u0027agit d\u0027un v\u00e9rificateur d\u2019int\u00e9grit\u00e9 du syst\u00e8me, composant logiciel install\u00e9 sur les appliances BIG\u2011IP. Il s\u2019appuie sur la fonctionnalit\u00e9 de v\u00e9rification d\u2019int\u00e9grit\u00e9 des paquets RPM et confronte les ex\u00e9cutables pr\u00e9sents sur le disque aux empreintes (condensats) stock\u00e9es dans la base de donn\u00e9es RPM. Lorsqu\u2019une diff\u00e9rence est constat\u00e9e, le syst\u00e8me alerte les utilisateurs.\u003c/li\u003e\n\nL\u0027ex\u00e9cution de cette commande peut indiquer des erreurs de conformit\u00e9, en particulier concernant les fichiers \u003ccode\u003e/usr/bin/umount\u003c/code\u003e ou \u003ccode\u003e/usr/sbin/httpd\u003c/code\u003e.\n\n\u003cli\u003eex\u00e9cution de \u003ccode\u003elsof -n\u003c/code\u003e : le syst\u00e8me est compromis si la pr\u00e9sence de \u003ccode\u003e/run/bigtlog.pipe\u003c/code\u003e est av\u00e9r\u00e9e.\u003c/li\u003e\n\u003c/ul\u003e\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans F5 BIG-IP Access Policy Manager",
  "vendor_advisories": [
    {
      "published_at": "2025-10-15",
      "title": "Bulletin de s\u00e9curit\u00e9 F5 K000156741",
      "url": "https://my.f5.com/manage/s/article/K000156741"
    }
  ]
}

CERTFR-2025-AVI-0886

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits F5. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
F5	BIG-IP Next	BIG-IP Next pour Kubernetes versions 2.1.x antérieures à 2.1.0 EHF-2
F5	BIG-IP Next	BIG-IP Next SPK versions 1.7.x antérieures à 1.7.15 EHF-2
F5	BIG-IP	BIG-IP (tous les modules) versions 15.1.x antérieures à 15.1.10.8
F5	BIG-IP Next	BIG-IP Next CNF versions 2.x antérieures à 2.1.0 EHF-1
F5	BIG-IP	BIG-IP (tous les modules) versions 17.5.x antérieures à 17.5.1.3
F5	BIG-IP Next	BIG-IP Next SPK versions 2.x antérieures à 2.1.0 EHF-1
F5	BIG-IP	BIG-IP (tous les modules) versions 17.1.x antérieures à 17.1.3
F5	NGINX	NGINX App Protect WAF versions antérieures à 4.7.0
F5	BIG-IP Next	BIG-IP Next CNF versions 1.4.x antérieures à 1.4.0 EHF-3
F5	BIG-IP	BIG-IP (tous les modules) versions 16.1.x antérieures à 16.1.6.1

References

Title

Publication Time

Tags

Bulletin de sécurité F5 K000156572

2025-10-15

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "BIG-IP Next pour Kubernetes versions 2.1.x ant\u00e9rieures \u00e0 2.1.0 EHF-2",
      "product": {
        "name": "BIG-IP Next",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Next SPK versions 1.7.x ant\u00e9rieures \u00e0 1.7.15 EHF-2",
      "product": {
        "name": "BIG-IP Next",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (tous les modules) versions 15.1.x ant\u00e9rieures \u00e0 15.1.10.8",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Next CNF versions 2.x ant\u00e9rieures \u00e0 2.1.0 EHF-1",
      "product": {
        "name": "BIG-IP Next",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (tous les modules) versions 17.5.x ant\u00e9rieures \u00e0 17.5.1.3",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Next SPK versions 2.x ant\u00e9rieures \u00e0 2.1.0 EHF-1",
      "product": {
        "name": "BIG-IP Next",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (tous les modules) versions 17.1.x ant\u00e9rieures \u00e0 17.1.3",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "NGINX App Protect WAF versions ant\u00e9rieures \u00e0 4.7.0",
      "product": {
        "name": "NGINX",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP Next CNF versions 1.4.x ant\u00e9rieures \u00e0 1.4.0 EHF-3",
      "product": {
        "name": "BIG-IP Next",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    },
    {
      "description": "BIG-IP (tous les modules) versions 16.1.x ant\u00e9rieures \u00e0 16.1.6.1",
      "product": {
        "name": "BIG-IP",
        "vendor": {
          "name": "F5",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-48008",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48008"
    },
    {
      "name": "CVE-2025-53521",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53521"
    },
    {
      "name": "CVE-2025-54858",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54858"
    },
    {
      "name": "CVE-2025-59478",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59478"
    },
    {
      "name": "CVE-2025-61990",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61990"
    },
    {
      "name": "CVE-2025-55670",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55670"
    },
    {
      "name": "CVE-2025-58153",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58153"
    },
    {
      "name": "CVE-2025-58071",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58071"
    },
    {
      "name": "CVE-2025-55036",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55036"
    },
    {
      "name": "CVE-2025-53868",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53868"
    },
    {
      "name": "CVE-2025-60015",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-60015"
    },
    {
      "name": "CVE-2025-59481",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59481"
    },
    {
      "name": "CVE-2025-54479",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54479"
    },
    {
      "name": "CVE-2025-41430",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-41430"
    },
    {
      "name": "CVE-2025-59483",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59483"
    },
    {
      "name": "CVE-2025-59778",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59778"
    },
    {
      "name": "CVE-2025-59268",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59268"
    },
    {
      "name": "CVE-2025-53860",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53860"
    },
    {
      "name": "CVE-2025-54805",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54805"
    },
    {
      "name": "CVE-2025-61935",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61935"
    },
    {
      "name": "CVE-2025-57780",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-57780"
    },
    {
      "name": "CVE-2025-61938",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61938"
    },
    {
      "name": "CVE-2025-61951",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61951"
    },
    {
      "name": "CVE-2025-59781",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59781"
    },
    {
      "name": "CVE-2025-53474",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53474"
    },
    {
      "name": "CVE-2025-58096",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58096"
    },
    {
      "name": "CVE-2025-61974",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61974"
    },
    {
      "name": "CVE-2025-53856",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53856"
    },
    {
      "name": "CVE-2025-58424",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58424"
    },
    {
      "name": "CVE-2025-60013",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-60013"
    },
    {
      "name": "CVE-2025-60016",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-60016"
    },
    {
      "name": "CVE-2025-47150",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47150"
    },
    {
      "name": "CVE-2025-58120",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58120"
    },
    {
      "name": "CVE-2025-61958",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61958"
    },
    {
      "name": "CVE-2025-59269",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59269"
    },
    {
      "name": "CVE-2025-54854",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54854"
    },
    {
      "name": "CVE-2025-54755",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54755"
    },
    {
      "name": "CVE-2025-61955",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61955"
    },
    {
      "name": "CVE-2025-61960",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61960"
    },
    {
      "name": "CVE-2025-58474",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58474"
    },
    {
      "name": "CVE-2025-61933",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61933"
    },
    {
      "name": "CVE-2025-47148",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47148"
    },
    {
      "name": "CVE-2025-29481",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-29481"
    },
    {
      "name": "CVE-2025-46706",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-46706"
    },
    {
      "name": "CVE-2025-55669",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55669"
    }
  ],
  "initial_release_date": "2025-10-16T00:00:00",
  "last_revision_date": "2025-10-16T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0886",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-10-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits F5. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits F5",
  "vendor_advisories": [
    {
      "published_at": "2025-10-15",
      "title": "Bulletin de s\u00e9curit\u00e9 F5 K000156572",
      "url": "https://my.f5.com/manage/s/article/K000156572"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-53521 (GCVE-0-2025-53521)

Vulnerability from cvelistv5

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

CERTFR-2026-ALE-004

Vulnerability from certfr_alerte

Solutions

CERTFR-2025-AVI-0886

Vulnerability from certfr_avis

Solutions

Tags

Sightings

Nomenclature