Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (f5) · only source for this CVE.
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Information disclosure in F5 BIG-IP Configuration utility allows low-privileged authenticated attackers to access sensitive information through undisclosed pages, affecting the confidentiality of administrative data without requiring user interaction or privileged credentials beyond standard authentication.
Technical ContextAI
The vulnerability resides in the Configuration utility component of F5 BIG-IP, a widely-deployed application delivery controller and load balancer platform. The root cause (CWE-643: Improper Neutralization of Data into an XPath Expression) suggests the vulnerability involves unsafe handling of user input in XPath queries or similar data access mechanisms that fail to properly validate or sanitize parameters before querying configuration data stores. The affected versions span BIG-IP deployments across its entire product line (CPE: cpe:2.3:a:f5:big-ip:*:*:*:*:*:*:*:*), though organizations running end-of-life versions (EoTS) are explicitly excluded from vendor support assessment.
RemediationAI
Apply the vendor-released patch available via F5 support article K000150515 at https://my.f5.com/manage/s/article/K000150515. Organizations unable to patch immediately should restrict network access to the Configuration utility management interface using firewall rules or management IP whitelisting, limiting exposure to trusted administrative subnets only. Additionally, enforce the principle of least privilege by auditing BIG-IP user accounts and removing low-privilege authentication credentials that do not require Configuration utility access, reducing the attack surface for credential compromise. Note that network isolation is a temporary control with reduced usability impact but does not address the root vulnerability-patching remains the required long-term remediation.
Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges t
Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor e
Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via
Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote a
Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles
F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when process
Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Pro
Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are c
Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM)
Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual server
Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust conn
Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Tra
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29980
GHSA-429c-h8f6-fcq6