Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (f5) · only source for this CVE.
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Sensitive information disclosure in F5 BIG-IP and BIG-IQ allows authenticated administrators with resource administrator role to view confidential data via undisclosed iControl REST endpoints or TMOS Shell commands. The vulnerability requires high-privilege authentication and produces no system modification or availability impact, limiting real-world risk despite network accessibility. Vendor has released patches addressing the information exposure.
Technical ContextAI
The vulnerability exists in the iControl REST API framework and TMOS Shell (tmsh) command-line interface, both core administrative interfaces in F5 BIG-IP and BIG-IQ systems. The iControl REST endpoint and specific tmsh command fail to enforce proper data filtering or access controls when returning configuration or operational data to authenticated users. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) indicates inadequate output sanitization or overly permissive data access policies. The vulnerability is exposed via network interfaces (AV:N) but requires existing authentication credentials with resource administrator privileges, significantly limiting the attack surface compared to unauthenticated disclosure vulnerabilities.
RemediationAI
Apply the vendor-released patch from F5 article K32950402 immediately for all supported BIG-IP and BIG-IQ installations. The patch specifically addresses the iControl REST endpoint and tmsh command data filtering. No workarounds are documented; patching is the primary remediation. Interim compensating controls include: (1) restrict iControl REST API access via firewall or network segmentation to trusted management networks only (trade-off: reduces operational convenience for remote administrators), (2) audit and minimize the number of user accounts with resource administrator role privileges, (3) enable and monitor iControl access logs for suspicious data queries by high-privilege accounts. Organizations on EoTS versions should evaluate migration to supported releases as patching is not available for end-of-life products.
Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges t
Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor e
Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via
Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote a
Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles
F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when process
Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Pro
Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are c
Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM)
Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual server
Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust conn
Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Tra
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29989
GHSA-f568-29c8-2vx4