CVE-2025-36546 — Incorrect Authorization in F5 F5os Appliance

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

9.2CRITICALNVD

EPSS

0.3%

top 50.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 F5os Appliance F5 F5os Chassis F5 F5os-a +1 more

Timeline

PublishedMay 7

Latest updateMay 8

Description

On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an attacker to exploit this vulnerability they must obtain the root user's SSH private key. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5f5/f5os_appliance1.7.0 — 1.8.0+1

▶NVDf5/f5os-a1.5.1 — 1.5.3

▶CVEListV5f5/f5os_chassis1.6.0 — 1.8.0

▶NVDf5/f5os-c1.6.0 — 1.6.2

🔴Vulnerability Details

GHSA

GHSA-58w9-v93f-h76h: On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance M↗2025-05-08

▶

CVEList

F5OS Appliance Mode vulnerability↗2025-05-07

▶

📋Vendor Advisories

CVE-2025-36546: On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authenticat...↗2025-05-07

▶