CVE-2025-61955 — F5OS Eval Injection

Overview

F5OS is the management-plane operating system underpinning modern F5 platforms — F5OS-A (appliances) and F5OS-C (chassis / VELOS). This vulnerability lives in a code path that evaluates dynamically constructed expressions using attacker-influenced input without fully neutralizing it: the classic CWE-95 "Eval Injection" pattern.

The attacker must already have a valid local, authenticated foothold — but from there, they can slip crafted input into the evaluator and run with the privileges of the evaluating process, escalating on the management plane.

Affected Versions

F5OS-A

1.5.1 — 1.5.3 · 1.8.0

F5OS-C

1.6.0 — 1.6.2 · 1.8.0 — 1.8.1

Always verify the authoritative fixed-release matrix in F5's official advisory before planning an upgrade.

Technical Analysis

CWE-95 describes a bug class where an application passes partially-controlled data into a function that dynamically parses and executes it as code. When input sanitization is incomplete, the attacker breaks out of the data context and supplies instructions the interpreter then runs.

This is not pre-auth. The attacker needs a local authenticated foothold — a compromised operator account, a lateral-movement foothold from an adjacent tenant, or a previously established shell. The bar is real, but the outcome is significant: F5 appliances are often multi-tenant with multiple operator roles, so any cross-boundary escalation on the management plane is consequential.

Impact

Privilege escalation on the F5OS control plane
Potential movement across tenants or administrative partitions
Exposure of appliance configuration, keys, and credentials
Downstream risk to workloads terminating traffic on the device

Mitigation

Patch — upgrade to a fixed F5OS-A / F5OS-C release per the official advisory.
Restrict access — enforce least privilege, remove dormant accounts.
Harden the management plane — keep it off general-purpose networks; reach it only from trusted bastions.
MFA — require it for all administrative access.
Monitor — watch for unexpected privilege changes, new privileged processes, and config changes outside approved windows.

Detection Ideas

Alert on unusual process lineage on F5OS shells — anything spawning from a normally non-interactive management daemon.
Baseline legitimate configuration-change cadence and surface deviations.
Correlate local authentication events with subsequent privilege transitions.
Forward F5OS audit logs to the SIEM and detect operator-to-admin context switches.

References

Official F5 Advisory · K000156771 → NIST NVD · CVE-2025-61955 → MITRE CVE Record → CWE-95 · Eval Injection →

Personal analysis summarizing public information. Always verify affected versions and fixes against the official F5 advisory before acting.