CVE-2025-36546 is an authorization vulnerability classified under CWE-863 affecting F5OS Appliance versions 1.5.1 and 1.7.0. The issue arises when the root user configures SSH key-based authentication and subsequently enables Appliance Mode on the device. Despite enabling Appliance Mode, which is intended to restrict certain access methods, the system continues to allow SSH logins using the root user's SSH keys. This behavior constitutes incorrect authorization because the security posture expected under Appliance Mode is not enforced correctly, allowing potentially unauthorized access if an attacker possesses the root's private SSH key. The vulnerability requires no user interaction and can be exploited remotely over the network (AV:N), but the attack complexity is high (AC:H) due to the need for the private key. The impact is severe, with full confidentiality, integrity, and availability compromise possible (C:H/I:H/A:H). The vulnerability does not affect versions that have reached End of Technical Support. No patches have been released at the time of this report, and no known exploits are publicly documented. Organizations should be aware that this vulnerability could allow attackers to bypass intended access restrictions, leading to full control over the appliance and potentially the network traffic it manages.

The vulnerability allows an attacker who has obtained the root user's SSH private key to bypass Appliance Mode restrictions and gain unauthorized root access to the F5OS appliance. This can lead to complete compromise of the device, including interception, modification, or disruption of network traffic managed by the appliance. The confidentiality of sensitive data passing through the appliance can be breached, integrity of network configurations and data can be altered, and availability can be disrupted by malicious actions. Given the critical role of F5 appliances in load balancing, application delivery, and security enforcement, exploitation could have cascading effects on enterprise networks and services. The high CVSS score (8.1) reflects the significant risk, especially in environments where SSH keys are not securely managed or where Appliance Mode is relied upon as a security boundary. Organizations worldwide using affected versions may face operational disruptions, data breaches, and increased risk of lateral movement by attackers.

1. Immediately audit and restrict access to root SSH private keys, ensuring they are stored securely and access is tightly controlled. 2. Before enabling Appliance Mode, disable SSH key-based authentication or remove all authorized keys for the root user to prevent unintended access. 3. Implement strict SSH key management policies, including regular key rotation and use of hardware security modules (HSMs) or secure vaults for key storage. 4. Monitor SSH login attempts and enable detailed logging on F5OS appliances to detect anomalous access patterns. 5. Use multi-factor authentication (MFA) where possible to add an additional layer of security beyond SSH keys. 6. Stay informed on vendor advisories and apply patches or updates promptly once available. 7. Consider network segmentation and firewall rules to limit SSH access to trusted management networks only. 8. Conduct regular security assessments and penetration testing focused on appliance configurations and access controls. These steps go beyond generic advice by focusing on operational controls around SSH key management and Appliance Mode configuration to mitigate the specific authorization bypass risk.