Skip to main content

BIG-IP and BIG-IQ EUVDEUVD-2026-29991

| CVE-2026-41957 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-05-13 f5 GHSA-628r-43mh-742x
8.7
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (f5) · only source for this CVE.

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
May 13, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 16:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Analysis Generated
May 13, 2026 - 15:45 vuln.today
CVE Published
May 13, 2026 - 14:12 nvd
HIGH 8.8

DescriptionCVE.org

An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe deserialization (CWE-502) in the management interface, exploitable over the network with low attack complexity and no user interaction required. Vendor-released patch available per F5 advisory K000156761. No public exploit identified at time of analysis, with CVSS 8.8 indicating critical severity for environments where attackers have valid low-privilege credentials to the Configuration utility.

Technical ContextAI

This vulnerability exploits unsafe deserialization (CWE-502) in the F5 Configuration utility, the web-based management interface for BIG-IP application delivery controllers and BIG-IQ centralized management platforms. Deserialization flaws occur when applications accept serialized objects from untrusted sources without proper validation, allowing attackers to inject malicious object streams that execute arbitrary code during the deserialization process. The Configuration utility runs with elevated privileges to manage system configuration, making successful exploitation particularly dangerous. Both BIG-IP (used for load balancing, traffic management, and application security) and BIG-IQ (used for centralized management of multiple BIG-IP instances) are affected across unspecified version ranges, as indicated by the CPE wildcard entries.

RemediationAI

Apply vendor-supplied patches detailed in F5 Security Advisory K000156761 available at https://my.f5.com/manage/s/article/K000156761, which provides specific fixed versions for affected BIG-IP and BIG-IQ releases. Until patching is completed, implement network-level access controls to restrict Configuration utility access exclusively to dedicated management VLANs or jump hosts, blocking internet-facing exposure entirely-side effect is reduced remote management flexibility but substantially lowers attack surface. Enforce multi-factor authentication on all Configuration utility accounts to raise the credential theft barrier required for exploitation. Audit existing user accounts and remove or demote unnecessary elevated privileges, as the PR:L requirement means even low-privilege authenticated users can exploit this. Monitor Configuration utility authentication logs for unusual access patterns or failed login attempts that might indicate credential compromise preceding exploitation attempts. Deploy web application firewall rules to inspect and block suspicious serialized object patterns in requests to the management interface, though this may cause false positives with legitimate administrative operations and requires careful tuning.

More in Big Ip

View all
CVE-2026-39455 HIGH
8.7 May 13

Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor e

CVE-2026-42409 HIGH
8.7 May 13

Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via

CVE-2026-40423 HIGH
8.7 May 13

Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote a

CVE-2026-39458 HIGH
8.7 May 13

Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles

CVE-2026-40060 HIGH
8.7 May 13

F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when process

CVE-2026-41227 HIGH
8.7 May 13

Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Pro

CVE-2026-40618 HIGH
8.7 May 13

Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are c

CVE-2026-41956 HIGH
8.7 May 13

Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM)

CVE-2026-42920 HIGH
8.7 May 13

Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual server

CVE-2026-40629 HIGH
8.7 May 13

Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust conn

CVE-2026-41218 HIGH
8.7 May 13

Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Tra

CVE-2026-40067 HIGH
8.7 May 13

Remote denial of service in F5 BIG-IP Access Policy Manager (APM) allows unauthenticated attackers to crash the apmd pro

Share

EUVD-2026-29991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy