Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (f5) · only source for this CVE.
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Incorrect permission assignment in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and iControl REST allows authenticated attackers to view network status of destination systems. Affected versions vary by product line; vendor has released patches. Authentication is required, limiting exposure to users with valid credentials, but the high confidentiality impact (CVSS 6.5) makes this a material information disclosure risk for organizations managing sensitive network infrastructure.
Technical ContextAI
The vulnerability stems from improper access control enforcement (CWE-732) in two distinct F5 components: the TMOS Shell (tmsh) command-line interface used for system administration and diagnostics, and the iControl REST API which provides programmatic access to BIG-IP/BIG-IQ configuration and monitoring. The tmsh network diagnostics commands and iControl REST endpoints fail to properly validate that the authenticated user has the required permissions to view network status information, allowing privilege escalation or lateral access to sensitive network topology and status data that should be restricted by role-based access control policies.
RemediationAI
Apply vendor-released patch from F5 as documented in https://my.f5.com/manage/s/article/K000161022. Exact patched versions are not enumerated in available data; consult the F5 advisory to identify the correct upgrade path for your specific BIG-IP or BIG-IQ version and product line. As an interim control, restrict API access to tmsh network diagnostics commands and iControl REST endpoints to trusted administrative subnets or restrict them at the load balancer/firewall level. Additionally, implement role-based access control (RBAC) enforcement in F5 console settings to ensure only administrators requiring network diagnostics access are granted those permissions, though this does not address the underlying permission assignment bug. Monitor authentication logs for suspicious access patterns to tmsh and iControl REST by low-privilege accounts.
Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges t
Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor e
Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via
Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote a
Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles
F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when process
Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Pro
Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are c
Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM)
Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual server
Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust conn
Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Tra
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29992
GHSA-qxf3-7mw3-hq68