Skip to main content

Big Ip

44 CVEs product

Monthly

CVE-2026-40423 HIGH PATCH This Week

Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote attackers to cause complete service disruption when a SIP profile is configured on a virtual server. The vulnerability requires specific configuration (SIP profile deployment) and enables denial of service through undisclosed malformed SIP traffic. EPSS data not available; no active exploitation confirmed by CISA KEV at time of analysis. Vendor patch available across all affected version branches with specific fix versions identified.

Denial Of Service Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42930 HIGH PATCH This Week

Authenticated administrators in F5 BIG-IP Appliance mode can bypass configuration restrictions designed to prevent system-level access. Administrators with the 'Administrator' role can circumvent Appliance mode lockdown controls, potentially modifying underlying system configurations that should be protected in this deployment mode. Vendor patch available per F5 Security Advisory K000160876. CVSS 8.5 reflects high confidentiality/integrity impact despite requiring privileged authentication.

Authentication Bypass Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-24464 MEDIUM PATCH This Month

Directory traversal vulnerability in F5 BIG-IP iControl REST endpoint when running in Appliance mode allows authenticated administrators to delete arbitrary files, crossing security boundaries. The vulnerability requires high-privilege administrator role access and network connectivity to the iControl REST interface, but no user interaction. Patch availability confirmed from F5; no active exploitation reported.

Path Traversal Big Ip
NVD VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-39458 HIGH PATCH This Week

Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles on virtual servers. Remote unauthenticated attackers can crash TMM using undisclosed malicious traffic patterns, causing complete service disruption. CVSS 7.5 High severity with network vector and low complexity. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. Vendor patch available per F5 K000160945.

Information Disclosure Memory Corruption Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41959 HIGH PATCH This Week

Incorrect permission assignment in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and iControl REST allows authenticated attackers to view network status of destination systems. Affected versions vary by product line; vendor has released patches. Authentication is required, limiting exposure to users with valid credentials, but the high confidentiality impact (CVSS 6.5) makes this a material information disclosure risk for organizations managing sensitive network infrastructure.

Information Disclosure Big Ip Big Iq
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-42406 HIGH PATCH This Week

Arbitrary command execution in F5 BIG-IP and BIG-IQ Certificate Manager allows highly privileged attackers with Certificate Manager role to run OS commands by modifying configuration objects. The vulnerability requires network access and high privileges (PR:H) but enables scope change (S:C) with high confidentiality and integrity impact. Vendor-released patch available per F5 Security Advisory K000160971. EPSS data not provided; no confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.

Information Disclosure Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-42058 MEDIUM PATCH This Month

F5 BIG-IP iControl REST API allows authenticated attackers to enumerate local user account names through undisclosed requests, leading to information disclosure of administrative user identities. The vulnerability requires valid authentication credentials and network access to the iControl REST interface, affecting systems with BIG-IP versions that have not reached End of Technical Support. CVSS 4.3 (low) reflects the requirement for prior authentication and confidentiality-only impact, though the enumeration of administrative accounts could facilitate downstream attacks.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-32643 HIGH PATCH This Week

Configuration manipulation in F5 BIG-IP and BIG-IQ Certificate Manager allows authenticated attackers with high privileges to execute arbitrary commands with scope change. Attackers holding Certificate Manager role credentials can modify configuration objects to run system commands, escalating from administrative interface access to underlying system control. CVSS 8.7 reflects the scope change (S:C) enabling broader impact than typical privileged command injection. No public exploit identified at time of analysis. F5 has released vendor patches per K000160972.

Privilege Escalation Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-42937 HIGH PATCH This Week

Incorrect permission assignment in F5 BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST allows authenticated attackers to view sensitive adjacent network information due to improper access controls. The vulnerability affects multiple product lines and requires valid authentication to exploit, making it a privilege escalation concern for environments where lower-privileged users have access to management interfaces.

Information Disclosure Big Ip Big Iq
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-39455 HIGH PATCH This Week

Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor exhaustion in the httpd process when LDAP authentication is enabled. The attack achieves complete denial of service (CVSS A:H) through network-accessible undisclosed traffic patterns. F5 has released patches addressing this vulnerability. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-32673 HIGH PATCH This Week

Authenticated administrators with Resource Administrator or Administrator role can execute arbitrary system commands with elevated privileges in F5 BIG-IP scripted monitors, potentially crossing security boundaries in appliance mode deployments. The vulnerability requires high privilege level and network access but allows complete command execution with no user interaction, affecting confidentiality and integrity.

Privilege Escalation Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-41217 HIGH PATCH This Week

F5 BIG-IP TMOS shell (tmsh) allows authenticated administrators and resource administrators to execute arbitrary system commands with elevated privileges via an undisclosed command, potentially crossing security boundaries in Appliance mode deployments. The vulnerability requires high-privilege account access and local command-line interaction but poses significant risk to appliance-mode BIG-IP systems where privilege escalation could compromise the entire platform.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-34176 HIGH PATCH This Week

Remote command injection in F5 BIG-IP Appliance mode allows high-privilege authenticated attackers to execute arbitrary OS commands through an undisclosed iControl REST endpoint, crossing security boundaries between management and administrative contexts. CVSS 8.7 with scope change (S:C) indicates container escape or privilege domain breach. F5 has released vendor patches per advisory K000160857. No public exploit code or CISA KEV listing identified at time of analysis, limiting immediate mass-exploitation risk despite network attack vector.

Command Injection Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.2%
CVE-2026-42063 MEDIUM PATCH This Month

Authenticated high-privilege attackers with Resource Administrator or Administrator roles can download sensitive files from F5 BIG-IP iControl SOAP interface due to improper path validation. The vulnerability requires valid administrative credentials and does not affect versions that have reached End of Technical Support, limiting exposure to actively maintained deployments. No public exploit code or active exploitation has been identified.

Information Disclosure Path Traversal Big Ip
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-41225 HIGH PATCH NEWS This Week

F5 BIG-IP iControl REST allows authenticated attackers with Manager role or higher to execute arbitrary commands through malicious configuration objects. This authenticated remote code execution vulnerability carries a CVSS score of 7.2 but requires high privileges (Manager role), significantly limiting the attack surface to insider threats or compromised administrator accounts. No public exploitation or proof-of-concept has been identified at time of analysis, and F5 has released vendor patches per advisory K000160916.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-39459 HIGH PATCH This Week

Authenticated attackers with Manager role or higher in F5 BIG-IP can execute arbitrary commands via malicious configuration objects in iControl REST API and TMOS Shell (tmsh). This privilege escalation vulnerability allows administrators to break out of their intended access boundaries and achieve full system control. CVSS 7.2 (High) reflects network accessibility with high privileges required. No public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-41953 HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrator users to elevate privileges through configuration object manipulation. The command injection flaw (CWE-77) enables attackers with existing high-privilege access to gain administrative control over the BIG-IP system. CVSS score of 8.7 reflects high impact due to scope change (compromising beyond the vulnerable component), though exploitation requires existing Resource Administrator credentials (PR:H). EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation.

Privilege Escalation Command Injection Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-40631 HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators to gain full Administrator privileges by exploiting insecure iControl SOAP API configuration handling. Attackers with high-privilege Resource Administrator access can modify configuration objects to escalate to Administrator level, achieving cross-scope access to confidential data and integrity compromise. EPSS risk assessment unavailable, but exploitation requires legitimate Resource Administrator credentials and network access to management interface, limiting attack surface to insider threats or compromised administrative accounts.

Privilege Escalation Information Disclosure Path Traversal Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-40698 HIGH PATCH This Week

Command injection in F5 BIG-IP and BIG-IQ SNMP configuration allows highly privileged Resource Administrators to escalate privileges to root via crafted iControl REST API calls or TMOS shell commands. Despite the high CVSS score (8.7), exploitation requires existing Resource Administrator credentials, significantly limiting real-world attack surface to insider threats or post-compromise scenarios. Vendor-released patches are available per F5 security advisory K000160981.

Privilege Escalation Command Injection Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-42924 HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators or Administrators to execute arbitrary OS commands by creating malicious SNMP configuration objects via the legacy iControl SOAP API. Attackers with high-level administrative credentials can break out of their role constraints to gain full system control. F5 has released patches addressing this command injection flaw (CWE-78). No active exploitation confirmed at time of analysis, but the CVSS:3.1 Changed Scope indicator and attack complexity of Low make this exploitable by any administrator with SOAP API access.

Privilege Escalation Command Injection Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-40060 HIGH PATCH This Week

F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when processing specially crafted requests against virtual servers with active security policies. Undisclosed malformed requests cause the bd process to terminate, disrupting service availability. Remote unauthenticated attackers can exploit this with low complexity (CVSS:3.1 AV:N/AC:L/PR:N/UI:N) achieving high availability impact (CVSS 7.5). EPSS data not provided, no active exploitation confirmed via CISA KEV at time of analysis. Vendor patch available per F5 advisory K000160727.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42409 HIGH PATCH This Week

Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via undisclosed malformed HTTP/2 requests when virtual servers are configured with both an HTTP/2 profile and iRules using HTTP::redirect or HTTP::respond commands. Exploitation requires no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N) and results in complete service disruption. Vendor patch available via F5 K000159034. EPSS data not provided, but the specific configuration requirement limits exposure to organizations using HTTP/2 with custom iRule redirects or responses.

Denial Of Service Null Pointer Dereference Big Ip Next For Kubernetes Big Ip Big Ip Next Spk +1
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41227 HIGH PATCH This Week

Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Protection receives undisclosed malformed traffic. Unauthenticated remote attackers can reliably terminate TMM processes, disrupting application delivery services. CVSS 7.5 (High) with network-exploitable, low-complexity characteristics and EPSS data not provided. Vendor patch available via F5 K000158979.

Denial Of Service Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40061 HIGH PATCH This Week

Authenticated attackers with Resource Administrator or Administrator role can execute arbitrary system commands via undisclosed iControl REST or BIG-IP TMOS Shell (tmsh) commands, potentially escalating privileges and crossing security boundaries in Appliance mode deployments. CVSS 6.5 reflects high privileges required (PR:H) but high confidentiality and integrity impact. No public exploit code identified at time of analysis.

Command Injection Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-35062 HIGH PATCH This Week

Authenticated users of F5 BIG-IP iControl SOAP interface can access account information belonging to other users due to insufficient access controls. The vulnerability affects BIG-IP systems where iControl SOAP is accessible and requires valid authentication credentials to exploit, allowing attackers with legitimate access to enumerate or retrieve confidential account details beyond their authorization scope.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-40618 HIGH PATCH This Week

Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are configured without hardware crypto acceleration, allowing remote unauthenticated attackers to cause denial of service via undisclosed traffic patterns. CVSS 7.5 (High) with network attack vector and no prerequisites. EPSS data not provided, no CISA KEV listing identified, indicating theoretical rather than observed exploitation. Vendor patch available per F5 advisory K000158082.

Information Disclosure Intel Big Ip Next For Kubernetes Big Ip Big Ip Next Spk +1
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41956 HIGH PATCH This Week

Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM) by sending specially crafted UDP requests to virtual servers with classification profiles enabled. The vulnerability affects BIG-IP, BIG-IP Next CNF, and BIG-IP Next for Kubernetes platforms. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available per F5 advisory K000158038.

Buffer Overflow Stack Overflow Big Ip Next For Kubernetes Big Ip Big Ip Next Cnf
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42920 HIGH PATCH This Week

Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual servers configured with Client SSL profiles having Allow Dynamic Record Sizing enabled. Remote unauthenticated attackers can trigger complete service denial by sending crafted traffic, causing TMM process crashes. F5 has released patches per advisory K000160901.

Denial Of Service Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40629 HIGH PATCH This Week

Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust connection processing via undisclosed traffic patterns, forcing affected servers to reject new client connections. The vulnerability affects multiple BIG-IP product lines including classic BIG-IP and all BIG-IP Next variants (SPK, CNF, Kubernetes). F5 has released vendor patches (K000158978), and with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N), this represents a straightforward network-based DoS attack requiring no authentication or special complexity.

Denial Of Service Big Ip Next For Kubernetes Big Ip Big Ip Next Spk Big Ip Next Cnf
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42919 HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated administrators to cross security boundaries and achieve elevated system access through a stack buffer overflow. The vulnerability affects all BIG-IP versions and requires high-privilege administrative credentials and direct network access to exploit. No public exploit code or active exploitation has been identified at time of analysis, but a vendor patch is available.

Buffer Overflow Stack Overflow Big Ip
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-41218 HIGH PATCH This Week

Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM) via undisclosed traffic patterns when PEM-specific iRules are configured on a virtual server. The vulnerability is a use-after-free memory corruption issue (CWE-416) affecting CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and urlcatquery iRule commands. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates straightforward remote exploitation with high availability impact. EPSS data not provided, but F5 has released a vendor patch (K000160875). No public exploit or CISA KEV listing identified at time of analysis.

Information Disclosure Use After Free Memory Corruption Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42781 HIGH PATCH This Week

Denial of service in F5 BIG-IP when Packet Velocity Acceleration (ePVA) is enabled allows local network attackers to exhaust ePVA and Traffic Management Microkernel (TMM) resources through crafted ethernet traffic, causing service degradation or unavailability. CVSS 6.5 (medium severity) reflects adjacent network access requirement and high availability impact. Patch availability confirmed via vendor advisory.

Denial Of Service Big Ip
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41957 HIGH PATCH NEWS This Week

Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe deserialization (CWE-502) in the management interface, exploitable over the network with low attack complexity and no user interaction required. Vendor-released patch available per F5 advisory K000156761. No public exploit identified at time of analysis, with CVSS 8.8 indicating critical severity for environments where attackers have valid low-privilege credentials to the Configuration utility.

RCE Deserialization Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-42408 MEDIUM PATCH This Month

F5 BIG-IP DNS when provisioned contains an undisclosed TMOS Shell (tmsh) command vulnerability allowing highly privileged authenticated attackers to view sensitive information. The vulnerability requires high-privilege account access and local shell access (AV:L, PR:H), limiting real-world exploitation to insider threats or post-compromise scenarios where an attacker has already obtained administrative credentials on the management interface.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
6.7
EPSS
0.0%
CVE-2026-40067 HIGH PATCH This Week

Remote denial of service in F5 BIG-IP Access Policy Manager (APM) allows unauthenticated attackers to crash the apmd process by sending specially crafted traffic to virtual servers with APM access policies configured. The vulnerability stems from a buffer overflow (CWE-120) and requires no authentication or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis. F5 has released vendor patches per advisory K000161056.

Buffer Overflow Big Ip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40699 HIGH PATCH This Week

Information disclosure in F5 BIG-IP Configuration utility allows low-privileged authenticated attackers to access sensitive information through undisclosed pages, affecting the confidentiality of administrative data without requiring user interaction or privileged credentials beyond standard authentication.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-34019 MEDIUM PATCH This Month

Denial of service in F5 BIG-IP affects the Traffic Management Microkernel (TMM) when Bidirectional Forwarding Detection (BFD) is configured with static or dynamic routing protocols. Undisclosed traffic patterns cause TMM to stop processing BFD packets, triggering unintended failover of the configured routing protocol. Remote unauthenticated attackers can trigger this condition over the network with low complexity, resulting in availability loss for BFD-dependent routing operations.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-42780 MEDIUM PATCH This Month

Directory traversal vulnerability in F5 BIG-IP SSL Orchestrator enables authenticated high-privilege attackers to overwrite, delete, or corrupt arbitrary local files via path manipulation. The vulnerability requires network access and valid high-privilege credentials but does not require user interaction, affecting the integrity of system files on affected BIG-IP instances. A vendor patch is available.

Path Traversal Big Ip Ssl Orchestrator
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-41219 HIGH PATCH This Week

BIG-IP QKView utility fails to properly sanitize sensitive data in diagnostic files, allowing authenticated attackers to extract confidential information including credentials and system configuration details. The vulnerability affects both BIG-IP and BIG-IQ platforms and requires valid user credentials to exploit, limiting exposure to insider threats and compromised accounts within authorized access tiers.

Information Disclosure Big Ip Big Iq
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-40462 HIGH PATCH This Week

Incorrect permission assignment in F5 BIG-IP iControl REST and TMOS shell (tmsh) allows authenticated attackers to view sensitive information through an undisclosed command. The vulnerability affects BIG-IP systems and requires valid credentials but no user interaction to exploit, enabling confidentiality compromise of data restricted to higher-privilege accounts.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-28758 MEDIUM PATCH This Month

BIG-IP DNS provisioning exposes SSH passwords in cleartext within iControl REST API responses and audit logs when using the gtm_add and bigip_add commands, allowing highly privileged authenticated attackers with audit log access to retrieve sensitive credentials. The vulnerability affects all supported BIG-IP DNS versions and carries a CVSS score of 4.4 with low real-world exploitation risk due to the requirement for local access and high privilege level.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
6.7
EPSS
0.0%
CVE-2026-41954 MEDIUM PATCH This Month

Sensitive information disclosure in F5 BIG-IP and BIG-IQ allows authenticated administrators with resource administrator role to view confidential data via undisclosed iControl REST endpoints or TMOS Shell commands. The vulnerability requires high-privilege authentication and produces no system modification or availability impact, limiting real-world risk despite network accessibility. Vendor has released patches addressing the information exposure.

Information Disclosure Big Ip Big Iq
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-40435 MEDIUM PATCH This Month

IP-based access control restrictions in F5 BIG-IP httpd do not uniformly apply to all endpoints, allowing unauthenticated remote attackers from blocked IP addresses to access protected resources and disclose sensitive information. The vulnerability affects default configurations where network-based access policies are expected to enforce restrictions across the entire application stack, but certain endpoints bypass these controls. A vendor patch is available.

Information Disclosure Big Ip
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-40703 MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in F5 BIG-IP Configuration utility dashboard allows unauthenticated remote attackers to perform unauthorized actions (integrity and availability impact) against authenticated users through malicious web pages, requiring user interaction to click a crafted link. Patch is available from F5. No public exploit code or active exploitation confirmed at time of analysis.

CSRF Big Ip
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Traffic Management Microkernel (TMM) crash in F5 BIG-IP versions 16.1.0 through 21.0.0.1 allows unauthenticated remote attackers to cause complete service disruption when a SIP profile is configured on a virtual server. The vulnerability requires specific configuration (SIP profile deployment) and enables denial of service through undisclosed malformed SIP traffic. EPSS data not available; no active exploitation confirmed by CISA KEV at time of analysis. Vendor patch available across all affected version branches with specific fix versions identified.

Denial Of Service Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Authenticated administrators in F5 BIG-IP Appliance mode can bypass configuration restrictions designed to prevent system-level access. Administrators with the 'Administrator' role can circumvent Appliance mode lockdown controls, potentially modifying underlying system configurations that should be protected in this deployment mode. Vendor patch available per F5 Security Advisory K000160876. CVSS 8.5 reflects high confidentiality/integrity impact despite requiring privileged authentication.

Authentication Bypass Big Ip
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Directory traversal vulnerability in F5 BIG-IP iControl REST endpoint when running in Appliance mode allows authenticated administrators to delete arbitrary files, crossing security boundaries. The vulnerability requires high-privilege administrator role access and network connectivity to the iControl REST interface, but no user interaction. Patch availability confirmed from F5; no active exploitation reported.

Path Traversal Big Ip
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Traffic Management Microkernel (TMM) denial-of-service in F5 BIG-IP DNS affects systems with DNS cache-enabled profiles on virtual servers. Remote unauthenticated attackers can crash TMM using undisclosed malicious traffic patterns, causing complete service disruption. CVSS 7.5 High severity with network vector and low complexity. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. Vendor patch available per F5 K000160945.

Information Disclosure Memory Corruption Big Ip
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Incorrect permission assignment in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and iControl REST allows authenticated attackers to view network status of destination systems. Affected versions vary by product line; vendor has released patches. Authentication is required, limiting exposure to users with valid credentials, but the high confidentiality impact (CVSS 6.5) makes this a material information disclosure risk for organizations managing sensitive network infrastructure.

Information Disclosure Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary command execution in F5 BIG-IP and BIG-IQ Certificate Manager allows highly privileged attackers with Certificate Manager role to run OS commands by modifying configuration objects. The vulnerability requires network access and high privileges (PR:H) but enables scope change (S:C) with high confidentiality and integrity impact. Vendor-released patch available per F5 Security Advisory K000160971. EPSS data not provided; no confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.

Information Disclosure Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

F5 BIG-IP iControl REST API allows authenticated attackers to enumerate local user account names through undisclosed requests, leading to information disclosure of administrative user identities. The vulnerability requires valid authentication credentials and network access to the iControl REST interface, affecting systems with BIG-IP versions that have not reached End of Technical Support. CVSS 4.3 (low) reflects the requirement for prior authentication and confidentiality-only impact, though the enumeration of administrative accounts could facilitate downstream attacks.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Configuration manipulation in F5 BIG-IP and BIG-IQ Certificate Manager allows authenticated attackers with high privileges to execute arbitrary commands with scope change. Attackers holding Certificate Manager role credentials can modify configuration objects to run system commands, escalating from administrative interface access to underlying system control. CVSS 8.7 reflects the scope change (S:C) enabling broader impact than typical privileged command injection. No public exploit identified at time of analysis. F5 has released vendor patches per K000160972.

Privilege Escalation Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Incorrect permission assignment in F5 BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST allows authenticated attackers to view sensitive adjacent network information due to improper access controls. The vulnerability affects multiple product lines and requires valid authentication to exploit, making it a privilege escalation concern for environments where lower-privileged users have access to management interfaces.

Information Disclosure Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Resource exhaustion in BIG-IP Configuration utility allows remote unauthenticated attackers to trigger file descriptor exhaustion in the httpd process when LDAP authentication is enabled. The attack achieves complete denial of service (CVSS A:H) through network-accessible undisclosed traffic patterns. F5 has released patches addressing this vulnerability. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Authenticated administrators with Resource Administrator or Administrator role can execute arbitrary system commands with elevated privileges in F5 BIG-IP scripted monitors, potentially crossing security boundaries in appliance mode deployments. The vulnerability requires high privilege level and network access but allows complete command execution with no user interaction, affecting confidentiality and integrity.

Privilege Escalation Big Ip
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

F5 BIG-IP TMOS shell (tmsh) allows authenticated administrators and resource administrators to execute arbitrary system commands with elevated privileges via an undisclosed command, potentially crossing security boundaries in Appliance mode deployments. The vulnerability requires high-privilege account access and local command-line interaction but poses significant risk to appliance-mode BIG-IP systems where privilege escalation could compromise the entire platform.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Remote command injection in F5 BIG-IP Appliance mode allows high-privilege authenticated attackers to execute arbitrary OS commands through an undisclosed iControl REST endpoint, crossing security boundaries between management and administrative contexts. CVSS 8.7 with scope change (S:C) indicates container escape or privilege domain breach. F5 has released vendor patches per advisory K000160857. No public exploit code or CISA KEV listing identified at time of analysis, limiting immediate mass-exploitation risk despite network attack vector.

Command Injection Big Ip
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authenticated high-privilege attackers with Resource Administrator or Administrator roles can download sensitive files from F5 BIG-IP iControl SOAP interface due to improper path validation. The vulnerability requires valid administrative credentials and does not affect versions that have reached End of Technical Support, limiting exposure to actively maintained deployments. No public exploit code or active exploitation has been identified.

Information Disclosure Path Traversal Big Ip
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

F5 BIG-IP iControl REST allows authenticated attackers with Manager role or higher to execute arbitrary commands through malicious configuration objects. This authenticated remote code execution vulnerability carries a CVSS score of 7.2 but requires high privileges (Manager role), significantly limiting the attack surface to insider threats or compromised administrator accounts. No public exploitation or proof-of-concept has been identified at time of analysis, and F5 has released vendor patches per advisory K000160916.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authenticated attackers with Manager role or higher in F5 BIG-IP can execute arbitrary commands via malicious configuration objects in iControl REST API and TMOS Shell (tmsh). This privilege escalation vulnerability allows administrators to break out of their intended access boundaries and achieve full system control. CVSS 7.2 (High) reflects network accessibility with high privileges required. No public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrator users to elevate privileges through configuration object manipulation. The command injection flaw (CWE-77) enables attackers with existing high-privilege access to gain administrative control over the BIG-IP system. CVSS score of 8.7 reflects high impact due to scope change (compromising beyond the vulnerable component), though exploitation requires existing Resource Administrator credentials (PR:H). EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation.

Privilege Escalation Command Injection Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators to gain full Administrator privileges by exploiting insecure iControl SOAP API configuration handling. Attackers with high-privilege Resource Administrator access can modify configuration objects to escalate to Administrator level, achieving cross-scope access to confidential data and integrity compromise. EPSS risk assessment unavailable, but exploitation requires legitimate Resource Administrator credentials and network access to management interface, limiting attack surface to insider threats or compromised administrative accounts.

Privilege Escalation Information Disclosure Path Traversal +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Command injection in F5 BIG-IP and BIG-IQ SNMP configuration allows highly privileged Resource Administrators to escalate privileges to root via crafted iControl REST API calls or TMOS shell commands. Despite the high CVSS score (8.7), exploitation requires existing Resource Administrator credentials, significantly limiting real-world attack surface to insider threats or post-compromise scenarios. Vendor-released patches are available per F5 security advisory K000160981.

Privilege Escalation Command Injection Big Ip +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators or Administrators to execute arbitrary OS commands by creating malicious SNMP configuration objects via the legacy iControl SOAP API. Attackers with high-level administrative credentials can break out of their role constraints to gain full system control. F5 has released patches addressing this command injection flaw (CWE-78). No active exploitation confirmed at time of analysis, but the CVSS:3.1 Changed Scope indicator and attack complexity of Low make this exploitable by any administrator with SOAP API access.

Privilege Escalation Command Injection Big Ip
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

F5 BIG-IP Advanced WAF and Application Security Manager (ASM) suffer from a denial-of-service vulnerability when processing specially crafted requests against virtual servers with active security policies. Undisclosed malformed requests cause the bd process to terminate, disrupting service availability. Remote unauthenticated attackers can exploit this with low complexity (CVSS:3.1 AV:N/AC:L/PR:N/UI:N) achieving high availability impact (CVSS 7.5). EPSS data not provided, no active exploitation confirmed via CISA KEV at time of analysis. Vendor patch available per F5 advisory K000160727.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via undisclosed malformed HTTP/2 requests when virtual servers are configured with both an HTTP/2 profile and iRules using HTTP::redirect or HTTP::respond commands. Exploitation requires no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N) and results in complete service disruption. Vendor patch available via F5 K000159034. EPSS data not provided, but the specific configuration requirement limits exposure to organizations using HTTP/2 with custom iRule redirects or responses.

Denial Of Service Null Pointer Dereference Big Ip Next For Kubernetes +3
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote memory exhaustion in F5 BIG-IP virtual servers crashes Traffic Management Microkernel when HTTP/2 Layer 7 DoS Protection receives undisclosed malformed traffic. Unauthenticated remote attackers can reliably terminate TMM processes, disrupting application delivery services. CVSS 7.5 (High) with network-exploitable, low-complexity characteristics and EPSS data not provided. Vendor patch available via F5 K000158979.

Denial Of Service Big Ip
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Authenticated attackers with Resource Administrator or Administrator role can execute arbitrary system commands via undisclosed iControl REST or BIG-IP TMOS Shell (tmsh) commands, potentially escalating privileges and crossing security boundaries in Appliance mode deployments. CVSS 6.5 reflects high privileges required (PR:H) but high confidentiality and integrity impact. No public exploit code identified at time of analysis.

Command Injection Big Ip
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authenticated users of F5 BIG-IP iControl SOAP interface can access account information belonging to other users due to insufficient access controls. The vulnerability affects BIG-IP systems where iControl SOAP is accessible and requires valid authentication credentials to exploit, allowing attackers with legitimate access to enumerate or retrieve confidential account details beyond their authorization scope.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are configured without hardware crypto acceleration, allowing remote unauthenticated attackers to cause denial of service via undisclosed traffic patterns. CVSS 7.5 (High) with network attack vector and no prerequisites. EPSS data not provided, no CISA KEV listing identified, indicating theoretical rather than observed exploitation. Vendor patch available per F5 advisory K000158082.

Information Disclosure Intel Big Ip Next For Kubernetes +3
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM) by sending specially crafted UDP requests to virtual servers with classification profiles enabled. The vulnerability affects BIG-IP, BIG-IP Next CNF, and BIG-IP Next for Kubernetes platforms. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available per F5 advisory K000158038.

Buffer Overflow Stack Overflow Big Ip Next For Kubernetes +2
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual servers configured with Client SSL profiles having Allow Dynamic Record Sizing enabled. Remote unauthenticated attackers can trigger complete service denial by sending crafted traffic, causing TMM process crashes. F5 has released patches per advisory K000160901.

Denial Of Service Big Ip
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust connection processing via undisclosed traffic patterns, forcing affected servers to reject new client connections. The vulnerability affects multiple BIG-IP product lines including classic BIG-IP and all BIG-IP Next variants (SPK, CNF, Kubernetes). F5 has released vendor patches (K000158978), and with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N), this represents a straightforward network-based DoS attack requiring no authentication or special complexity.

Denial Of Service Big Ip Next For Kubernetes Big Ip +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation in F5 BIG-IP allows authenticated administrators to cross security boundaries and achieve elevated system access through a stack buffer overflow. The vulnerability affects all BIG-IP versions and requires high-privilege administrative credentials and direct network access to exploit. No public exploit code or active exploitation has been identified at time of analysis, but a vendor patch is available.

Buffer Overflow Stack Overflow Big Ip
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM) via undisclosed traffic patterns when PEM-specific iRules are configured on a virtual server. The vulnerability is a use-after-free memory corruption issue (CWE-416) affecting CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and urlcatquery iRule commands. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates straightforward remote exploitation with high availability impact. EPSS data not provided, but F5 has released a vendor patch (K000160875). No public exploit or CISA KEV listing identified at time of analysis.

Information Disclosure Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in F5 BIG-IP when Packet Velocity Acceleration (ePVA) is enabled allows local network attackers to exhaust ePVA and Traffic Management Microkernel (TMM) resources through crafted ethernet traffic, causing service degradation or unavailability. CVSS 6.5 (medium severity) reflects adjacent network access requirement and high availability impact. Patch availability confirmed via vendor advisory.

Denial Of Service Big Ip
NVD VulDB
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe deserialization (CWE-502) in the management interface, exploitable over the network with low attack complexity and no user interaction required. Vendor-released patch available per F5 advisory K000156761. No public exploit identified at time of analysis, with CVSS 8.8 indicating critical severity for environments where attackers have valid low-privilege credentials to the Configuration utility.

RCE Deserialization Big Ip +1
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

F5 BIG-IP DNS when provisioned contains an undisclosed TMOS Shell (tmsh) command vulnerability allowing highly privileged authenticated attackers to view sensitive information. The vulnerability requires high-privilege account access and local shell access (AV:L, PR:H), limiting real-world exploitation to insider threats or post-compromise scenarios where an attacker has already obtained administrative credentials on the management interface.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote denial of service in F5 BIG-IP Access Policy Manager (APM) allows unauthenticated attackers to crash the apmd process by sending specially crafted traffic to virtual servers with APM access policies configured. The vulnerability stems from a buffer overflow (CWE-120) and requires no authentication or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis. F5 has released vendor patches per advisory K000161056.

Buffer Overflow Big Ip
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in F5 BIG-IP Configuration utility allows low-privileged authenticated attackers to access sensitive information through undisclosed pages, affecting the confidentiality of administrative data without requiring user interaction or privileged credentials beyond standard authentication.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Denial of service in F5 BIG-IP affects the Traffic Management Microkernel (TMM) when Bidirectional Forwarding Detection (BFD) is configured with static or dynamic routing protocols. Undisclosed traffic patterns cause TMM to stop processing BFD packets, triggering unintended failover of the configured routing protocol. Remote unauthenticated attackers can trigger this condition over the network with low complexity, resulting in availability loss for BFD-dependent routing operations.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Directory traversal vulnerability in F5 BIG-IP SSL Orchestrator enables authenticated high-privilege attackers to overwrite, delete, or corrupt arbitrary local files via path manipulation. The vulnerability requires network access and valid high-privilege credentials but does not require user interaction, affecting the integrity of system files on affected BIG-IP instances. A vendor patch is available.

Path Traversal Big Ip Ssl Orchestrator
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

BIG-IP QKView utility fails to properly sanitize sensitive data in diagnostic files, allowing authenticated attackers to extract confidential information including credentials and system configuration details. The vulnerability affects both BIG-IP and BIG-IQ platforms and requires valid user credentials to exploit, limiting exposure to insider threats and compromised accounts within authorized access tiers.

Information Disclosure Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Incorrect permission assignment in F5 BIG-IP iControl REST and TMOS shell (tmsh) allows authenticated attackers to view sensitive information through an undisclosed command. The vulnerability affects BIG-IP systems and requires valid credentials but no user interaction to exploit, enabling confidentiality compromise of data restricted to higher-privilege accounts.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

BIG-IP DNS provisioning exposes SSH passwords in cleartext within iControl REST API responses and audit logs when using the gtm_add and bigip_add commands, allowing highly privileged authenticated attackers with audit log access to retrieve sensitive credentials. The vulnerability affects all supported BIG-IP DNS versions and carries a CVSS score of 4.4 with low real-world exploitation risk due to the requirement for local access and high privilege level.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Sensitive information disclosure in F5 BIG-IP and BIG-IQ allows authenticated administrators with resource administrator role to view confidential data via undisclosed iControl REST endpoints or TMOS Shell commands. The vulnerability requires high-privilege authentication and produces no system modification or availability impact, limiting real-world risk despite network accessibility. Vendor has released patches addressing the information exposure.

Information Disclosure Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

IP-based access control restrictions in F5 BIG-IP httpd do not uniformly apply to all endpoints, allowing unauthenticated remote attackers from blocked IP addresses to access protected resources and disclose sensitive information. The vulnerability affects default configurations where network-based access policies are expected to enforce restrictions across the entire application stack, but certain endpoints bypass these controls. A vendor patch is available.

Information Disclosure Big Ip
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in F5 BIG-IP Configuration utility dashboard allows unauthenticated remote attackers to perform unauthorized actions (integrity and availability impact) against authenticated users through malicious web pages, requiring user interaction to click a crafted link. Patch is available from F5. No public exploit code or active exploitation confirmed at time of analysis.

CSRF Big Ip
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy