CVE-2025-61955 is a vulnerability identified in F5 Networks' F5OS-A and F5OS-C appliances, specifically affecting versions 1.5.0 and 1.8.0. The root cause is improper neutralization of directives in dynamically evaluated code, classified under CWE-95, which allows an attacker who has authenticated local access to execute malicious code or commands that can escalate their privileges beyond intended boundaries. This vulnerability enables crossing security boundaries within the appliance, potentially allowing an attacker to gain administrative or root-level control. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and low privileges required, but no user interaction needed. The vulnerability does not currently have publicly known exploits in the wild, but the risk remains significant due to the critical role of F5 appliances in network traffic management and security. The vulnerability is particularly dangerous because it leverages dynamic code evaluation flaws, which can be exploited to execute arbitrary code or commands, bypassing security controls. The affected F5OS appliances are widely used in enterprise and service provider environments to manage application delivery, load balancing, and security services, making this vulnerability a critical concern for network infrastructure security.

The impact on European organizations could be severe due to the critical role F5OS appliances play in managing and securing network traffic, including load balancing, application delivery, and firewall functions. Successful exploitation could lead to full compromise of the appliance, allowing attackers to intercept, modify, or disrupt network traffic, potentially leading to data breaches, service outages, or lateral movement within the network. Confidentiality is at high risk as attackers could access sensitive data passing through the appliance. Integrity and availability are also at high risk, as attackers could alter configurations or disrupt services. Given the appliance’s position in the network, this could affect multiple connected systems and services, amplifying the damage. European organizations in sectors such as finance, telecommunications, government, and critical infrastructure are particularly vulnerable, as these sectors rely heavily on robust network security and availability. Additionally, the requirement for local authenticated access means insider threats or attackers who have compromised lower-level credentials could leverage this vulnerability to escalate privileges and cause significant harm.

1. Monitor F5 Networks’ advisories closely and apply patches or updates as soon as they are released for affected F5OS versions. 2. Restrict local access to F5OS appliances strictly to trusted administrators and use strong authentication mechanisms such as multi-factor authentication (MFA). 3. Implement network segmentation to limit access to management interfaces of F5 appliances, reducing the risk of unauthorized local access. 4. Conduct regular audits and monitoring of logs for unusual privilege escalation attempts or suspicious activities on F5OS devices. 5. Employ host-based intrusion detection systems (HIDS) on management hosts to detect anomalous behavior. 6. Review and harden appliance configurations to minimize attack surface, disabling unnecessary services and interfaces. 7. Train administrators on secure operational practices and awareness of privilege escalation risks. 8. Prepare incident response plans specifically addressing potential compromise of network infrastructure devices like F5 appliances.