Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (f5) · only source for this CVE.
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Arbitrary command execution in F5 BIG-IP and BIG-IQ Certificate Manager allows highly privileged attackers with Certificate Manager role to run OS commands by modifying configuration objects. The vulnerability requires network access and high privileges (PR:H) but enables scope change (S:C) with high confidentiality and integrity impact. Vendor-released patch available per F5 Security Advisory K000160971. EPSS data not provided; no confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.
Technical ContextAI
This vulnerability affects F5 BIG-IP Application Delivery Controllers and BIG-IQ Centralized Management platforms, specifically within the Certificate Manager component. The root cause is CWE-267 (Privilege Defined With Unsafe Actions), indicating that the Certificate Manager role has excessive permissions that allow configuration object modifications beyond its intended scope. The CVSS scope change metric (S:C) suggests the vulnerability enables an attacker to break out of the intended security boundary of the Certificate Manager role to affect resources under a different authority - in this case, executing arbitrary operating system commands on the underlying F5 system. The affected CPE strings (cpe:2.3:a:f5:big-ip and cpe:2.3:a:f5:big-iq) indicate broad impact across both product lines, though F5 has not evaluated End of Technical Support versions. The network attack vector (AV:N) means exploitation can occur remotely through management interfaces rather than requiring local system access.
RemediationAI
Apply vendor-released patches detailed in F5 Security Advisory K000160971 available at https://my.f5.com/manage/s/article/K000160971. The advisory should specify exact fixed versions for both BIG-IP and BIG-IQ product lines. Until patching is complete, implement compensating controls: restrict Certificate Manager role assignment to only personnel who absolutely require certificate lifecycle management functions, enforce multi-factor authentication for all administrative access to BIG-IP/BIG-IQ management interfaces, implement network segmentation to limit management interface exposure (bind to dedicated management VLANs rather than production networks), enable comprehensive audit logging for all configuration changes especially those made by Certificate Manager role accounts, and review recent configuration object modifications for unauthorized changes that could indicate exploitation attempts. Note that restricting Certificate Manager role may impact legitimate certificate renewal workflows - coordinate with teams responsible for SSL/TLS certificate operations before implementing role restrictions.
Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges t
Memory-exhaustion denial of service in F5 BIG-IP affects any virtual server configured with an HTTP/2 profile, where a r
Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor e
Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via
Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote a
Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles
F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when process
Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Pro
Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are c
Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM)
Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual server
Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust conn
Same weakness CWE-267 – Privilege Defined With Unsafe Actions
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29997
GHSA-j3w3-p4g3-436q