CVE Alert: CVE-2025-53868 - F5 - BIG-IP

CVE-2025-53868

HIGHNo exploitation known

When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance mode restrictions using undisclosed commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3.1 (8.7)

AV NETWORK · AC LOW · PR HIGH · UI NONE · S CHANGED

Vendor

Product

BIG-IP

Versions

17.5.0 lt 17.5.1 | 17.1.0 lt 17.1.3 | 16.1.0 lt 16.1.6.1 | 15.1.0 lt 15.1.10.8

CWE

CWE-78, CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Published

2025-10-15T13:55:51.551Z

Updated

2025-10-16T03:56:22.081Z

References

https://my.f5.com/manage/s/article/K000151902

AI Summary Analysis

Risk verdict

Why this matters

Most likely attack path

Who is most exposed

Detection ideas

Unusual SCP/SFTP activity from privileged accounts to the appliance, outside maintenance windows.
Execution of rare or undisclosed OS commands within the appliance CLI.
Changes to appliance-mode restrictions or unexpected privilege escalations.
Anomalous data movement or traffic policy changes from the device.
Privileged sessions lacking MFA or multi-user correlation during off-hours.

Mitigation and prioritisation

Apply the latest non-EoTS patch on all affected appliances; if no patch is available, implement mitigations below.
Restrict or disable SCP/SFTP for privileged accounts; enforce MFA and tighten management network access.
Limit privileged admin scope, segregate duties, and apply network segmentation to reduce blast radius.
Enhance logging and SIEM coverage for privileged command activity and appliance-mode bypass attempts.
Change-management: test upgrade in a lab, validate policy integrity post‑update, and maintain a rollback plan.
If KEV true or EPSS ≥ 0.5, treat as priority 1; otherwise maintain high-priority remediation.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: big-ip, CVE, cve-2025-53868, f5, OSINT, threatintel