Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (f5) · only source for this CVE.
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe deserialization (CWE-502) in the management interface, exploitable over the network with low attack complexity and no user interaction required. Vendor-released patch available per F5 advisory K000156761. No public exploit identified at time of analysis, with CVSS 8.8 indicating critical severity for environments where attackers have valid low-privilege credentials to the Configuration utility.
Technical ContextAI
This vulnerability exploits unsafe deserialization (CWE-502) in the F5 Configuration utility, the web-based management interface for BIG-IP application delivery controllers and BIG-IQ centralized management platforms. Deserialization flaws occur when applications accept serialized objects from untrusted sources without proper validation, allowing attackers to inject malicious object streams that execute arbitrary code during the deserialization process. The Configuration utility runs with elevated privileges to manage system configuration, making successful exploitation particularly dangerous. Both BIG-IP (used for load balancing, traffic management, and application security) and BIG-IQ (used for centralized management of multiple BIG-IP instances) are affected across unspecified version ranges, as indicated by the CPE wildcard entries.
RemediationAI
Apply vendor-supplied patches detailed in F5 Security Advisory K000156761 available at https://my.f5.com/manage/s/article/K000156761, which provides specific fixed versions for affected BIG-IP and BIG-IQ releases. Until patching is completed, implement network-level access controls to restrict Configuration utility access exclusively to dedicated management VLANs or jump hosts, blocking internet-facing exposure entirely-side effect is reduced remote management flexibility but substantially lowers attack surface. Enforce multi-factor authentication on all Configuration utility accounts to raise the credential theft barrier required for exploitation. Audit existing user accounts and remove or demote unnecessary elevated privileges, as the PR:L requirement means even low-privilege authenticated users can exploit this. Monitor Configuration utility authentication logs for unusual access patterns or failed login attempts that might indicate credential compromise preceding exploitation attempts. Deploy web application firewall rules to inspect and block suspicious serialized object patterns in requests to the management interface, though this may cause false positives with legitimate administrative operations and requires careful tuning.
Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor e
Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via
Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote a
Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles
F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when process
Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Pro
Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are c
Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM)
Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual server
Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust conn
Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Tra
Remote denial of service in F5 BIG-IP Access Policy Manager (APM) allows unauthenticated attackers to crash the apmd pro
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29991
GHSA-628r-43mh-742x