CVE-2025-36546

On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an attacker to exploit this vulnerability they must obtain the root user's SSH private key. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://my.f5.com/manage/s/article/K000140574	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:f5:f5os-a::::::::
	cpe:2.3:o:f5:f5os-c::::::::

History

21 Oct 2025, 18:42

Type	Values Removed	Values Added
References	~~() https://my.f5.com/manage/s/article/K000140574 -~~	() https://my.f5.com/manage/s/article/K000140574 - Vendor Advisory
CPE		cpe:2.3:o:f5:f5os-c:::::::: cpe:2.3:o:f5:f5os-a::::::::
First Time		F5 f5os-c F5 F5 f5os-a

08 May 2025, 14:39

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-07 22:15

Updated : 2025-10-21 18:42

NVD link : CVE-2025-36546

Mitre link : CVE-2025-36546

CVE.ORG link : CVE-2025-36546

JSON object : View

Products Affected

f5

f5os-a
f5os-c

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-36546", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "f5sirt@f5.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "f5sirt@f5.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-07T22:15:19.927", "references": [{"url": "https://my.f5.com/manage/s/article/K000140574", "tags": ["Vendor Advisory"], "source": "f5sirt@f5.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "f5sirt@f5.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an attacker to exploit this vulnerability they must obtain the root user's SSH private key.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "En un sistema F5OS, si el usuario root configur\u00f3 previamente el sistema para permitir el inicio de sesi\u00f3n mediante autenticaci\u00f3n basada en clave SSH y luego activ\u00f3 el modo de dispositivo, el acceso mediante autenticaci\u00f3n basada en clave SSH seguir\u00e1 permitido. Para que un atacante aproveche esta vulnerabilidad, debe obtener la clave privada SSH del usuario root. Nota: Las versiones de software que han alcanzado el fin del soporte t\u00e9cnico (EoTS) no se eval\u00faan."}], "lastModified": "2025-10-21T18:42:57.403", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:f5:f5os-a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4899125F-A896-487F-A2AC-803FFCF0C4FF", "versionEndExcluding": "1.5.3", "versionStartIncluding": "1.5.1"}, {"criteria": "cpe:2.3:o:f5:f5os-c:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF2910A9-DD68-4E44-8805-3392DA88A297", "versionEndIncluding": "1.6.2", "versionStartIncluding": "1.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "f5sirt@f5.com"}