CVE-2025-54755
15.10.2025, 14:15
A directory traversal vulnerability exists in TMUI that allows an authenticated attacker to access files which are not limited to the intended files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
| Vendor | Product | Version |
|---|---|---|
| f5 | big-ip_access_policy_manager | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_advanced_firewall_manager | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_advanced_web_application_firewall | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_analytics | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_application_acceleration_manager | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_application_security_manager | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_application_visibility_and_reporting | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_automation_toolchain | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_carrier-grade_nat | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_container_ingress_services | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_ddos_hybrid_defender | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_domain_name_system | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_edge_gateway | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_fraud_protection_service | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_global_traffic_manager | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_link_controller | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_local_traffic_manager | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_policy_enforcement_manager | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_ssl_orchestrator | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_webaccelerator | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_websafe | 15.1.0 ≤ 𝑥 < 15.1.10.8 |
| f5 | big-ip_access_policy_manager | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_advanced_firewall_manager | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_advanced_web_application_firewall | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_analytics | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_application_acceleration_manager | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_application_security_manager | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_application_visibility_and_reporting | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_automation_toolchain | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_carrier-grade_nat | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_container_ingress_services | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_ddos_hybrid_defender | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_domain_name_system | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_edge_gateway | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_fraud_protection_service | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_global_traffic_manager | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_link_controller | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_local_traffic_manager | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_policy_enforcement_manager | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_ssl_orchestrator | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_webaccelerator | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_websafe | 16.1.0 ≤ 𝑥 < 16.1.6.1 |
| f5 | big-ip_access_policy_manager | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_access_policy_manager | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_advanced_firewall_manager | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_advanced_firewall_manager | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_advanced_web_application_firewall | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_advanced_web_application_firewall | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_analytics | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_analytics | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_application_acceleration_manager | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_application_acceleration_manager | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_application_security_manager | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_application_security_manager | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_application_visibility_and_reporting | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_application_visibility_and_reporting | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_automation_toolchain | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_automation_toolchain | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_carrier-grade_nat | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_carrier-grade_nat | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_container_ingress_services | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_container_ingress_services | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_ddos_hybrid_defender | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_ddos_hybrid_defender | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_domain_name_system | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_domain_name_system | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_edge_gateway | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_edge_gateway | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_fraud_protection_service | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_fraud_protection_service | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_global_traffic_manager | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_link_controller | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_link_controller | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_local_traffic_manager | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_local_traffic_manager | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_policy_enforcement_manager | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_policy_enforcement_manager | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_ssl_orchestrator | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_ssl_orchestrator | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_webaccelerator | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_webaccelerator | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
| f5 | big-ip_websafe | 17.1.0 ≤ 𝑥 < 17.1.3 |
| f5 | big-ip_websafe | 17.5.0 ≤ 𝑥 ≤ 17.5.1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-146 - Improper Neutralization of Expression/Command DelimitersThe software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.