POC详情: d4e36314d0e2924f0e9dd241f92ab71448593eb9

来源
https://github.com/mbadanoiu/CVE-2025-20029
关联漏洞
标题: BIG-IP iControl REST 和 tmsh 漏洞 (CVE-2025-20029)
描述:在iControl REST和BIG-IP TMOS Shell (tmsh)保存命令中存在命令注入漏洞,这可能允许经过身份验证的攻击者执行任意系统命令。 注意:已达到技术支持结束(EoTS)的软件版本不予评估。
描述
CVE-2025-20029: Command Injection in TMSH CLI in F5 BIG-IP
介绍
# CVE-2025-20029: Command Injection in TMSH CLI in F5 BIG-IP

A command injection vulnerability exists in the F5 “tmsh” restricted CLI which allows an authenticated attacker to leverage the commands accessible by a low privilege user in order to bypass restrictions, inject arbitrary commands and obtain remote code execution as the “root” user on the target system.

### Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found [here](https://my.f5.com/manage/s/article/K000148587).

### Requirements:

This vulnerability requires:
<br/>
- Valid user credentials
- The capability to send requests to the iControl REST component and/or the capability to execute tmsh commands

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2025-20029/blob/main/F5%20-%20CVE-2025-20029.pdf).
文件快照

 [4.0K]  /data/pocs/d4e36314d0e2924f0e9dd241f92ab71448593eb9
├── [316K]  F5 - CVE-2025-20029.pdf
└── [ 892]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。