Simulating CVE-2025-20029 From Vulnerability to PoC
This post documents the process of understanding and simulating CVE-2025-20029, a remote code execution vulnerability in F5 BIG-IP, by building a self-contained lab.
Rather than simply reproducing the PoC, I focused on understanding the vulnerability’s core logic, building a safe environment for experimentation, and clarifying its real-world implications for both attackers and defenders.
Why I Built This
Modern exploit research isn’t just about triggering vulnerabilities — it’s about understanding them deeply enough to simulate them safely, explain them clearly, and learn from them.
I created this replayable lab to:
- Deconstruct the vulnerability logic without touching production systems
- Enable teammates or learners to walk through each phase of exploitation safely
- Explore detection opportunities from a blue-team perspective
- Practice end-to-end threat modeling
Vulnerability Summary
CVE-2025-20029 is an RCE vulnerability affecting F5 BIG-IP due to improper input validation in a REST API endpoint.
While often associated with deserialization patterns, this bug stems more directly from untrusted JSON input being passed to a system shell.
Key references consulted:
- CyberSecurityNews – Initial PoC release
- F5 Security Advisory (K000137353)
- Vendor advisory and packet captures
- Reverse-engineered request structure using Burp Suite
Replayable Lab Structure
| Path | Description |
|---|---|
/exploit |
Python PoC that crafts and delivers the REST-based payload |
/utils |
Scripts to generate a markdown report |
Everything runs in Docker with no external dependencies. This enables:
- Safe replays without side effects
- Easy integration into team workshops
- Repeatable red-team simulation
Attack Flow
- Recon: Identify management endpoint (
/mgmt/tm/util/bash) exposure - Payload crafting: Prepare JSON object with command to run (
{"command": "id"}) - Exploit delivery: Send POST request with JSON payload using Python script
- Code execution: Observe system response, analyze log or output
Exploit Script Breakdown (exploit/exploit.py)
The exploit.py script simulates the exploitation of F5 BIG-IP’s REST API endpoint, which processes command execution via /mgmt/tm/util/bash.
This script doesn’t use deserialization tricks, but rather emulates the vulnerable behavior of directly passing user-controlled JSON input to a system-level bash execution routine.
Key functionalities:
- Target endpoint: Sends a POST request to the
/mgmt/tm/util/bashendpoint, which exists in real F5 BIG-IP systems under certain configurations. - Payload delivery: Supplies a simple JSON object
{"command": "id"}, which gets executed by the server if not properly sanitized. - Response parsing: Displays the output of the executed command for confirmation and debugging.
Why it matters:
This script helps simulate real-world API abuse scenarios, where administrative interfaces unintentionally expose command execution functionality.
It enables controlled validation of the vulnerability logic and can be easily extended to test other endpoints or injected payloads.
Blue Team Angle
This helps defenders understand:
- Where in the request lifecycle detection is possible
- Which logs matter, and which don’t
- How attackers adapt payloads to avoid detection
Lessons Learned
- Vulnerabilities rooted in control-plane logic or API misuse are easily overlooked but often critical
- Building a replayable simulation forces better understanding of real exploitability
- Incorporating detection logic helps align red-team thinking with defense priorities
Community Exposure
To ensure this research contributes to the wider security community,
the PoC was structured in a discoverable and modular way — and has since been indexed on Sploitus,a public CVE PoC aggregator.
While Sploitus indexing is automated, inclusion signals that the repository adheres to open-source norms and provides reproducible technical artifacts.
Repo
Full code and lab: GitHub – CVE-2025-20029 Simulation