CVE-2025-60013

CWE-78 — OS Command Injection CWE-237 documents7 sources

Severity

4.6MEDIUM

EPSS

0.0%

top 99.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 F5os - Appliance F5 F5os-a

Timeline

PublishedOct 15

Latest updateOct 27

Description

When a highly-privileged, authenticated attacker attempts to initialize the rSeries FIPS module using a password with special shell metacharacters, arbitrary system commands may be executed, and the FIPS hardware security module (HSM) may fail to initialize. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDf5/f5os-a1.5.1 — 1.5.4+1

▶CVEListV5f5/f5os_-_appliance1.8.0 — 1.8.3+1

🔴Vulnerability Details

GHSA

Apache Tomcat Vulnerable to Relative Path Traversal↗2025-10-27

▶

GHSA

GHSA-g34m-cm8j-m5gg: When a user attempts to initialize the rSeries FIPS module using a password with special shell metacharacters, the FIPS hardware security module (HSM)↗2025-10-15

▶

CVEList

F5OS-A FIPS HSM password vulnerability↗2025-10-15

▶

📋Vendor Advisories

CVE-2025-60013: When a highly-privileged, authenticated attacker attempts to initialize the rSeries FIPS module using a password with...↗2025-10-15

▶