Skip to main content

Big Iq

9 CVEs product

Monthly

CVE-2026-41959 HIGH PATCH This Week

Incorrect permission assignment in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and iControl REST allows authenticated attackers to view network status of destination systems. Affected versions vary by product line; vendor has released patches. Authentication is required, limiting exposure to users with valid credentials, but the high confidentiality impact (CVSS 6.5) makes this a material information disclosure risk for organizations managing sensitive network infrastructure.

Information Disclosure Big Ip Big Iq
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-42406 HIGH PATCH This Week

Arbitrary command execution in F5 BIG-IP and BIG-IQ Certificate Manager allows highly privileged attackers with Certificate Manager role to run OS commands by modifying configuration objects. The vulnerability requires network access and high privileges (PR:H) but enables scope change (S:C) with high confidentiality and integrity impact. Vendor-released patch available per F5 Security Advisory K000160971. EPSS data not provided; no confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.

Information Disclosure Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-32643 HIGH PATCH This Week

Configuration manipulation in F5 BIG-IP and BIG-IQ Certificate Manager allows authenticated attackers with high privileges to execute arbitrary commands with scope change. Attackers holding Certificate Manager role credentials can modify configuration objects to run system commands, escalating from administrative interface access to underlying system control. CVSS 8.7 reflects the scope change (S:C) enabling broader impact than typical privileged command injection. No public exploit identified at time of analysis. F5 has released vendor patches per K000160972.

Privilege Escalation Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-42937 HIGH PATCH This Week

Incorrect permission assignment in F5 BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST allows authenticated attackers to view sensitive adjacent network information due to improper access controls. The vulnerability affects multiple product lines and requires valid authentication to exploit, making it a privilege escalation concern for environments where lower-privileged users have access to management interfaces.

Information Disclosure Big Ip Big Iq
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-40698 HIGH PATCH This Week

Command injection in F5 BIG-IP and BIG-IQ SNMP configuration allows highly privileged Resource Administrators to escalate privileges to root via crafted iControl REST API calls or TMOS shell commands. Despite the high CVSS score (8.7), exploitation requires existing Resource Administrator credentials, significantly limiting real-world attack surface to insider threats or post-compromise scenarios. Vendor-released patches are available per F5 security advisory K000160981.

Privilege Escalation Command Injection Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-20916 HIGH PATCH This Week

Authenticated low-privilege users can write arbitrary files to the BIG-IQ system filesystem via path traversal in an undisclosed iControl REST endpoint, enabling system compromise through configuration manipulation or code execution. F5 has released patches for supported versions. While requiring authentication (PR:L), the low complexity (AC:L) and network vector (AV:N) allow remote attackers with minimal access to achieve high integrity and availability impact through file overwrites of critical system or application files.

Path Traversal Big Iq
NVD
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-41957 HIGH PATCH NEWS This Week

Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe deserialization (CWE-502) in the management interface, exploitable over the network with low attack complexity and no user interaction required. Vendor-released patch available per F5 advisory K000156761. No public exploit identified at time of analysis, with CVSS 8.8 indicating critical severity for environments where attackers have valid low-privilege credentials to the Configuration utility.

RCE Deserialization Big Ip Big Iq
NVD VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-41219 HIGH PATCH This Week

BIG-IP QKView utility fails to properly sanitize sensitive data in diagnostic files, allowing authenticated attackers to extract confidential information including credentials and system configuration details. The vulnerability affects both BIG-IP and BIG-IQ platforms and requires valid user credentials to exploit, limiting exposure to insider threats and compromised accounts within authorized access tiers.

Information Disclosure Big Ip Big Iq
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-41954 MEDIUM PATCH This Month

Sensitive information disclosure in F5 BIG-IP and BIG-IQ allows authenticated administrators with resource administrator role to view confidential data via undisclosed iControl REST endpoints or TMOS Shell commands. The vulnerability requires high-privilege authentication and produces no system modification or availability impact, limiting real-world risk despite network accessibility. Vendor has released patches addressing the information exposure.

Information Disclosure Big Ip Big Iq
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Incorrect permission assignment in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and iControl REST allows authenticated attackers to view network status of destination systems. Affected versions vary by product line; vendor has released patches. Authentication is required, limiting exposure to users with valid credentials, but the high confidentiality impact (CVSS 6.5) makes this a material information disclosure risk for organizations managing sensitive network infrastructure.

Information Disclosure Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary command execution in F5 BIG-IP and BIG-IQ Certificate Manager allows highly privileged attackers with Certificate Manager role to run OS commands by modifying configuration objects. The vulnerability requires network access and high privileges (PR:H) but enables scope change (S:C) with high confidentiality and integrity impact. Vendor-released patch available per F5 Security Advisory K000160971. EPSS data not provided; no confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.

Information Disclosure Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Configuration manipulation in F5 BIG-IP and BIG-IQ Certificate Manager allows authenticated attackers with high privileges to execute arbitrary commands with scope change. Attackers holding Certificate Manager role credentials can modify configuration objects to run system commands, escalating from administrative interface access to underlying system control. CVSS 8.7 reflects the scope change (S:C) enabling broader impact than typical privileged command injection. No public exploit identified at time of analysis. F5 has released vendor patches per K000160972.

Privilege Escalation Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Incorrect permission assignment in F5 BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST allows authenticated attackers to view sensitive adjacent network information due to improper access controls. The vulnerability affects multiple product lines and requires valid authentication to exploit, making it a privilege escalation concern for environments where lower-privileged users have access to management interfaces.

Information Disclosure Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Command injection in F5 BIG-IP and BIG-IQ SNMP configuration allows highly privileged Resource Administrators to escalate privileges to root via crafted iControl REST API calls or TMOS shell commands. Despite the high CVSS score (8.7), exploitation requires existing Resource Administrator credentials, significantly limiting real-world attack surface to insider threats or post-compromise scenarios. Vendor-released patches are available per F5 security advisory K000160981.

Privilege Escalation Command Injection Big Ip +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Authenticated low-privilege users can write arbitrary files to the BIG-IQ system filesystem via path traversal in an undisclosed iControl REST endpoint, enabling system compromise through configuration manipulation or code execution. F5 has released patches for supported versions. While requiring authentication (PR:L), the low complexity (AC:L) and network vector (AV:N) allow remote attackers with minimal access to achieve high integrity and availability impact through file overwrites of critical system or application files.

Path Traversal Big Iq
NVD
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe deserialization (CWE-502) in the management interface, exploitable over the network with low attack complexity and no user interaction required. Vendor-released patch available per F5 advisory K000156761. No public exploit identified at time of analysis, with CVSS 8.8 indicating critical severity for environments where attackers have valid low-privilege credentials to the Configuration utility.

RCE Deserialization Big Ip +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

BIG-IP QKView utility fails to properly sanitize sensitive data in diagnostic files, allowing authenticated attackers to extract confidential information including credentials and system configuration details. The vulnerability affects both BIG-IP and BIG-IQ platforms and requires valid user credentials to exploit, limiting exposure to insider threats and compromised accounts within authorized access tiers.

Information Disclosure Big Ip Big Iq
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Sensitive information disclosure in F5 BIG-IP and BIG-IQ allows authenticated administrators with resource administrator role to view confidential data via undisclosed iControl REST endpoints or TMOS Shell commands. The vulnerability requires high-privilege authentication and produces no system modification or availability impact, limiting real-world risk despite network accessibility. Vendor has released patches addressing the information exposure.

Information Disclosure Big Ip Big Iq
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy