CVE-2025-61955 is a vulnerability identified in F5OS-A and F5OS-C appliances, specifically in versions 1.5.0 and 1.8.0. The root cause is improper neutralization of directives in dynamically evaluated code, classified under CWE-95. This means that the software fails to properly sanitize or validate input that is executed as code, allowing an attacker with authenticated local access to inject or manipulate code directives. Such manipulation can lead to privilege escalation, enabling the attacker to cross security boundaries that should normally restrict access to sensitive functions or data. The vulnerability has a CVSS v3.1 base score of 8.8, indicating high severity, with attack vector limited to local access (AV:L), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and a scope change (S:C). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), meaning a successful exploit could lead to full system compromise. The vulnerability affects only supported versions; versions that have reached End of Technical Support are not evaluated. No patches or exploit code are currently publicly available, but the risk remains significant due to the nature of the flaw and the critical role of F5OS appliances in network infrastructure.

The impact of CVE-2025-61955 is substantial for organizations relying on F5OS-A and F5OS-C appliances, which are commonly used for application delivery, load balancing, and security functions in enterprise and service provider networks. An attacker who gains authenticated local access—potentially through other vulnerabilities, misconfigurations, or insider threats—can escalate privileges and bypass security boundaries, leading to unauthorized access to sensitive data, disruption of network services, or further lateral movement within the network. This can compromise the confidentiality, integrity, and availability of critical network infrastructure, potentially causing service outages, data breaches, and loss of trust. Given the high CVSS score and scope change, the vulnerability could also facilitate advanced persistent threats (APTs) targeting high-value assets. Organizations with large deployments of affected F5OS versions face increased risk, especially if they have not implemented strict access controls or monitoring for local administrative access.

To mitigate CVE-2025-61955, organizations should immediately identify all F5OS-A and F5OS-C appliances running affected versions 1.5.0 and 1.8.0. Although no patches are currently listed, organizations should monitor F5’s official advisories for updates and apply patches as soon as they become available. In the interim, restrict local access to these appliances strictly to trusted administrators and use multi-factor authentication to reduce the risk of unauthorized access. Implement network segmentation to isolate management interfaces and limit exposure. Enable and review detailed logging and alerting for any suspicious local activity or privilege escalation attempts. Conduct regular audits of user privileges and remove unnecessary local accounts. Additionally, consider deploying host-based intrusion detection systems (HIDS) on management hosts to detect anomalous code execution or configuration changes. Finally, educate administrators about the risks of executing untrusted code or commands on these appliances.