CVE-2025-24320
📋 TL;DR
A stored XSS vulnerability in BIG-IP Configuration utility allows attackers to execute JavaScript in the context of logged-in users. This affects BIG-IP systems running vulnerable versions. The vulnerability results from an incomplete fix for CVE-2024-31156.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
Big Ip Application Visibility And Reporting by F5
View all CVEs affecting Big Ip Application Visibility And Reporting →
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack sessions, deploy malware, or gain full administrative control of the BIG-IP system.
Likely Case
Attackers would steal session cookies or credentials to gain unauthorized access to the BIG-IP management interface.
If Mitigated
With proper network segmentation and access controls, impact would be limited to the management interface only.
🎯 Exploit Status
Requires attacker to have access to inject malicious payload into the Configuration utility
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check F5 advisory K000140578 for specific fixed versions
Vendor Advisory: https://my.f5.com/manage/s/article/K000140578
Restart Required: No
Instructions:
1. Review F5 advisory K000140578 2. Identify affected BIG-IP versions 3. Apply recommended F5 patches 4. Verify patch installation
🔧 Temporary Workarounds
Restrict Configuration Utility Access
allLimit access to BIG-IP Configuration utility to trusted IP addresses only
Configure firewall rules to restrict access to BIG-IP management interface
Implement Content Security Policy
allAdd CSP headers to prevent XSS execution
Add 'Content-Security-Policy' header to web server configuration
🧯 If You Can't Patch
- Isolate BIG-IP management interface from untrusted networks
- Implement strict input validation and output encoding for Configuration utility
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version against F5 advisory K000140578Check Version:
tmsh show sys versionVerify Fix Applied:
Verify BIG-IP version is updated to patched version listed in advisory📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in Configuration utility logs
- Multiple failed login attempts followed by successful login
Network Indicators:
- Unexpected JavaScript in HTTP requests to Configuration utility
- Suspicious outbound connections from BIG-IP management interface
SIEM Query:
source="bigip_logs" AND ("script" OR "javascript" OR "onload=" OR "onerror=")