CVE-2025-61958 is a vulnerability categorized under CWE-250 (Execution with Unnecessary Privileges) affecting F5 BIG-IP versions 15.1.0, 16.1.0, 17.1.0, and 17.5.0. The flaw exists in the iHealth command implementation, which is intended for system health diagnostics. An authenticated attacker possessing at least resource administrator privileges can exploit this vulnerability to bypass the Traffic Management Shell (tmsh) restrictions, which normally limit command execution scope. By doing so, the attacker gains unauthorized access to a bash shell on the device. For BIG-IP systems operating in Appliance mode, this exploit allows crossing of security boundaries, potentially enabling the attacker to execute arbitrary commands with elevated privileges beyond their assigned role. The vulnerability has a CVSS v3.1 score of 8.7, reflecting high impact on confidentiality and integrity, with network attack vector, low attack complexity, and no user interaction required. Although no public exploits have been reported yet, the vulnerability's nature and impact make it a critical concern for organizations relying on BIG-IP devices for load balancing, application delivery, and security functions. The vulnerability affects supported versions only; versions past End of Technical Support are not evaluated. The lack of available patches at the time of disclosure necessitates immediate risk mitigation.

This vulnerability can have severe consequences for organizations worldwide that deploy F5 BIG-IP devices, which are widely used for load balancing, application delivery, and security services in enterprise and service provider networks. Successful exploitation allows an attacker with resource administrator privileges to escalate their access to a full bash shell, effectively bypassing role-based access controls and tmsh restrictions. This can lead to unauthorized command execution, data exfiltration, manipulation of network traffic, and potential disruption of critical services. In Appliance mode, crossing security boundaries further increases the risk by allowing attackers to access otherwise isolated system components, potentially compromising the entire device. The breach of confidentiality and integrity could facilitate lateral movement within networks, enabling attackers to target sensitive applications and data. Given the central role of BIG-IP devices in network infrastructure, this vulnerability could impact the availability and security of multiple downstream systems, amplifying the overall risk to organizational operations and data protection.

1. Immediate mitigation should include restricting resource administrator privileges strictly to trusted personnel and auditing existing accounts for unnecessary elevated access. 2. Implement network segmentation and access controls to limit administrative access to BIG-IP management interfaces. 3. Monitor system logs and command execution for unusual activity related to the iHealth command and tmsh usage. 4. Apply principle of least privilege to all administrative roles to reduce the attack surface. 5. Until official patches are released, consider disabling or restricting the iHealth command if feasible without impacting operations. 6. Employ multi-factor authentication (MFA) for all administrative access to reduce risk of credential compromise. 7. Regularly update and patch BIG-IP devices as soon as vendor fixes become available. 8. Conduct penetration testing and vulnerability assessments focused on privilege escalation vectors within BIG-IP environments. 9. Maintain an incident response plan tailored to network infrastructure compromise scenarios involving BIG-IP devices.