Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (f5) · only source for this CVE.
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iControl REST or the TMOS shell (tmsh) resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Command injection in F5 BIG-IP and BIG-IQ SNMP configuration allows highly privileged Resource Administrators to escalate privileges to root via crafted iControl REST API calls or TMOS shell commands. Despite the high CVSS score (8.7), exploitation requires existing Resource Administrator credentials, significantly limiting real-world attack surface to insider threats or post-compromise scenarios. Vendor-released patches are available per F5 security advisory K000160981.
Technical ContextAI
This vulnerability stems from improper neutralization of special elements in SNMP configuration object creation (CWE-77: Command Injection). F5's BIG-IP Application Delivery Controllers and BIG-IQ centralized management platform use the Traffic Management Operating System (TMOS) and expose management interfaces through iControl REST API and the tmsh command-line shell. The SNMP configuration subsystem fails to properly sanitize input when Resource Administrators create SNMP objects, allowing injection of operating system commands. The scope change (S:C) in the CVSS vector indicates the vulnerability can impact resources beyond the vulnerable component's security scope, consistent with privilege escalation from Resource Administrator to full system access.
RemediationAI
Apply vendor-released security patches documented in F5 Security Advisory K000160981 available at https://my.f5.com/manage/s/article/K000160981. Follow F5's standard upgrade procedures for BIG-IP and BIG-IQ systems, ensuring configuration backups are current before patching. If immediate patching is not feasible, implement compensating controls: (1) Audit and minimize accounts with Resource Administrator role to only essential personnel with verified need-to-know, (2) Enable enhanced logging for iControl REST API calls and tmsh command execution by Resource Administrators to detect suspicious SNMP configuration changes, (3) Implement additional approval workflows requiring Security Administrator review before Resource Administrators can create or modify SNMP objects (achievable through custom iControl LX extensions or workflow automation). Note that restricting SNMP functionality entirely may impact legitimate monitoring and management operations. These compensating controls reduce attack surface but do not eliminate the vulnerability.
Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges t
Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor e
Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via
Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote a
Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles
F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when process
Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Pro
Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are c
Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM)
Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual server
Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust conn
Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Tra
Same weakness CWE-77 – Command Injection
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29979
GHSA-r6m3-x9hj-j6gx