Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-40462 (GCVE-0-2026-40462)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:36
VLAI?
EPSS
Title
iControl REST and tmsh vulnerability
Summary
Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000156581 | vendor-advisorypatch |
Impacted products
Date Public ?
2026-05-13 14:00
Credits
F5
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T16:01:11.896222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:17:15.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "21.1.0",
"versionType": "custom"
},
{
"lessThan": "21.0.0.1",
"status": "affected",
"version": "21.0.0",
"versionType": "custom"
},
{
"lessThan": "17.5.1.4",
"status": "affected",
"version": "17.5.0",
"versionType": "custom"
},
{
"lessThan": "17.1.3.1",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIncorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information.\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\u003c/span\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:36:38.963Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000156581"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "iControl REST and tmsh vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-40462",
"datePublished": "2026-05-13T14:12:28.473Z",
"dateReserved": "2026-04-30T23:02:33.914Z",
"dateUpdated": "2026-05-13T16:36:38.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-40462",
"date": "2026-05-17",
"epss": "0.0005",
"percentile": "0.15781"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-40462\",\"sourceIdentifier\":\"f5sirt@f5.com\",\"published\":\"2026-05-13T16:16:42.960\",\"lastModified\":\"2026-05-13T17:16:20.340\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-732\"}]}],\"references\":[{\"url\":\"https://my.f5.com/manage/s/article/K000156581\",\"source\":\"f5sirt@f5.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40462\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T16:01:11.896222Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T16:17:10.740Z\"}}], \"cna\": {\"title\": \"iControl REST and tmsh vulnerability\", \"source\": {\"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"F5\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"F5\", \"modules\": [\"All Modules\"], \"product\": \"BIG-IP\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"21.1.0\", \"lessThan\": \"*\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"21.0.0\", \"lessThan\": \"21.0.0.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"17.5.0\", \"lessThan\": \"17.5.1.4\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"17.1.0\", \"lessThan\": \"17.1.3.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"16.1.0\", \"lessThan\": \"*\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2026-05-13T14:00:00.000Z\", \"references\": [{\"url\": \"https://my.f5.com/manage/s/article/K000156581\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"x_generator\": {\"engine\": \"F5 SIRTBot v1.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information.\\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eIncorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information.\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\\n\\n\u003c/span\u003e\u003cp\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-732\", \"description\": \"CWE-732 Incorrect Permission Assignment for Critical Resource\"}]}], \"providerMetadata\": {\"orgId\": \"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab\", \"shortName\": \"f5\", \"dateUpdated\": \"2026-05-13T16:36:38.963Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-40462\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T16:36:38.963Z\", \"dateReserved\": \"2026-04-30T23:02:33.914Z\", \"assignerOrgId\": \"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab\", \"datePublished\": \"2026-05-13T14:12:28.473Z\", \"assignerShortName\": \"f5\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-40462
Vulnerability from fkie_nvd - Published: 2026-05-13 16:16 - Updated: 2026-05-13 17:16
Severity ?
Summary
Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"id": "CVE-2026-40462",
"lastModified": "2026-05-13T17:16:20.340",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "f5sirt@f5.com",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "f5sirt@f5.com",
"type": "Secondary"
}
]
},
"published": "2026-05-13T16:16:42.960",
"references": [
{
"source": "f5sirt@f5.com",
"url": "https://my.f5.com/manage/s/article/K000156581"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "f5sirt@f5.com",
"type": "Secondary"
}
]
}
NCSC-2026-0162
Vulnerability from csaf_ncscnl - Published: 2026-05-15 12:07 - Updated: 2026-05-15 12:07Summary
Kwetsbaarheden verholpen in F5 BIG-IP en BIG-IQ producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: F5 heeft meerdere kwetsbaarheden verholpen in de BIG-IP en BIG-IQ productlijnen, inclusief componenten zoals iControl REST, iControl SOAP, TMOS Shell, Traffic Management Microkernel (TMM), Configuration utility, Advanced WAF, ASM, PEM, DNS, Access Policy Manager (APM) en SSL Orchestrator.
Interpretaties: De kwetsbaarheden betreffen onder andere directory traversal, ongeautoriseerde bestandswijzigingen, blootstelling van gevoelige SSH-wachtwoorden in API-responses en auditlogs, privilege escalatie via onjuiste permissie-toewijzingen, remote command injection, cross-account informatielekken, en onverwachte procesafsluitingen (zoals van TMM, httpd, apmd en bd processen) door specifieke configuraties of ongedocumenteerde verkeerspatronen.
Exploitatie vereist doorgaans geauthenticeerde toegang met rollen variërend van Manager, Resource Administrator tot Administrator, afhankelijk van de kwetsbaarheid. Sommige kwetsbaarheden maken het mogelijk om configuratieobjecten te wijzigen, wat kan leiden tot het uitvoeren van willekeurige commando's met verhoogde privileges.
Andere kwetsbaarheden betreffen het lekken van gevoelige informatie via onjuiste toegangscontrole of onvoldoende validatie binnen managementinterfaces. Diverse kwetsbaarheden zijn specifiek voor Appliance mode of bepaalde configuratieprofielen zoals SSL, HTTP/2, SIP, LDAP authenticatie, en SNMP configuraties. De impact omvat onder meer het omzeilen van beveiligingscontroles, het escaleren van privileges, het lekken van gevoelige gegevens, en het verstoren van de beschikbaarheid en stabiliteit van netwerk- en applicatiebeheercomponenten. Niet-ondersteunde softwareversies zijn in de meeste gevallen niet geëvalueerd voor deze kwetsbaarheden.
Oplossingen: F5 heeft updates uitgebracht om de kwetsbaarheden in de BIG-IP en BIG-IQ producten te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-35: Path Traversal: '.../...//'
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-121: Stack-based Buffer Overflow
CWE-131: Incorrect Calculation of Buffer Size
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-250: Execution with Unnecessary Privileges
CWE-252: Unchecked Return Value
CWE-266: Incorrect Privilege Assignment
CWE-267: Privilege Defined With Unsafe Actions
CWE-272: Least Privilege Violation
CWE-312: Cleartext Storage of Sensitive Information
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-416: Use After Free
CWE-420: Unprotected Alternate Channel
CWE-476: NULL Pointer Dereference
CWE-502: Deserialization of Untrusted Data
CWE-532: Insertion of Sensitive Information into Log File
CWE-552: Files or Directories Accessible to External Parties
CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')
CWE-648: Incorrect Use of Privileged APIs
CWE-732: Incorrect Permission Assignment for Critical Resource
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-772: Missing Release of Resource after Effective Lifetime
CWE-824: Access of Uninitialized Pointer
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
A directory traversal vulnerability in an undisclosed iControl REST endpoint in Appliance mode may allow an authenticated administrator to bypass security boundaries and delete files.
6.8 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in BIG-IP DNS's gtm_add and bigip_add iControl REST commands exposes the ssh-password parameter in cleartext within responses and audit logs, risking sensitive information disclosure to highly privileged attackers.
4.4 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in BIG-IP and BIG-IQ systems allows a highly privileged, authenticated attacker with at least the Certificate Manager role to modify configuration objects and execute arbitrary commands, excluding versions past End of Technical Support.
8.7 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in BIG-IP scripted monitors allows authenticated users with Resource Administrator or Administrator roles to execute arbitrary system commands with elevated privileges, potentially crossing security boundaries in appliance mode.
8.7 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
An authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint in Appliance mode, potentially allowing an attacker to cross security boundaries.
8.7 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
An authenticated iControl SOAP user may be able to access or obtain information from other accounts, with versions past End of Technical Support not evaluated.
6.5 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Configuring the BIG-IP Configuration utility to use LDAP authentication can cause the httpd process to exhaust available file descriptors due to undisclosed traffic, with unsupported software versions not evaluated.
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Enabling a BIG-IP DNS profile with DNS cache on a virtual server can cause the Traffic Management Microkernel (TMM) to terminate due to undisclosed traffic, with unsupported software versions not evaluated.
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in iControl REST and TMOS Shell (tmsh) allows a highly privileged, authenticated attacker with at least Manager role to create configuration objects that enable execution of arbitrary commands.
7.2 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Certain undisclosed requests can cause the bd process to terminate when a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, with unsupported software versions not evaluated.
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in BIG-IP DNS allows authenticated Resource Administrator or Administrator users to execute arbitrary system commands with elevated privileges, potentially crossing security boundaries in Appliance mode.
8.7 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Configuring a BIG-IP APM access policy on a virtual server can cause the apmd process to terminate due to undisclosed traffic, with unsupported software versions not evaluated.
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Configuring a SIP profile on a virtual server can cause the Traffic Management Microkernel (TMM) to terminate due to undisclosed traffic, with issues noted in software versions beyond End of Technical Support (EoTS).
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
IP-based access restrictions configured for httpd do not apply to all endpoints, potentially allowing connections from blocked IP addresses, except in versions that have reached End of Technical Support.
5.3 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Incorrect permission assignment vulnerabilities in iControl REST and TMOS Shell (tmsh) undisclosed commands may allow authenticated attackers to access sensitive information.
6.5 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Configuring an SSL profile on BIG-IP Virtual Edition without Intel QAT or on hardware with crypto.hwacceleration disabled can cause the Traffic Management Microkernel (TMM) to terminate when processing certain undisclosed traffic.
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Configuring SSL profiles on a virtual server can cause the server to stop processing new client connections when handling undisclosed traffic, with versions beyond End of Technical Support not evaluated.
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
An authenticated attacker with Resource Administrator or Administrator roles can exploit iControl SOAP to modify configuration objects and escalate privileges, with unsupported software versions not evaluated.
8.7 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in F5 BIG-IP and BIG-IQ systems allows a highly privileged, authenticated attacker with Resource Administrator role to create SNMP configuration objects via iControl REST or TMOS shell, resulting in privilege escalation.
8.7 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in undisclosed pages of the Configuration utility may allow a low-privileged authenticated attacker to access sensitive information, with unsupported software versions not evaluated.
6.5 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility, with versions that have reached End of Technical Support (EoTS) not evaluated.
5.4 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in an undisclosed BIG-IP TMOS Shell command allows authenticated users with resource administrator or administrator roles to execute arbitrary system commands with elevated privileges, potentially crossing security boundaries in Appliance mode.
7.9 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Configuring BIG-IP PEM iRules with certain commands on a virtual server can cause the Traffic Management Microkernel (TMM) to terminate, with unsupported software versions not evaluated.
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
An improper sanitization vulnerability in the BIG-IP QKView utility allows low-privileged attackers to read sensitive information from QKView files, with unsupported software versions not evaluated.
6.5 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in iControl REST allows a highly privileged, authenticated attacker with at least Manager role to create configuration objects that enable arbitrary command execution.
9.1 (Critical)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Certain undisclosed traffic on an HTTP/2 virtual server with Layer 7 DoS Protection can increase memory usage and cause the Traffic Management Microkernel (TMM) process to terminate.
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in BIG-IP systems enables a highly privileged, authenticated attacker with at least Resource Administrator role to modify configuration objects, resulting in privilege escalation.
8.7 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A sensitive information disclosure vulnerability in an undisclosed iControl REST endpoint and TMOS Shell (tmsh) command may allow an authenticated attacker with resource administrator privileges to access sensitive information.
4.9 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Configuring a classification profile on a UDP virtual server can cause the Traffic Management Microkernel (TMM) to terminate upon receiving certain undisclosed requests, with unsupported software versions not evaluated.
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
An authenticated remote code execution vulnerability exists in the BIG-IP and BIG-IQ Configuration utility through undisclosed vectors, excluding software versions that have reached End of Technical Support.
8.8 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Incorrect permission assignment vulnerabilities in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and BIG-IP iControl REST may allow authenticated attackers to view network status of destination systems.
6.5 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
An authenticated attacker can exploit undisclosed requests to BIG-IP iControl REST to leak local user account names, with unsupported software versions not evaluated.
4.3 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in iControl SOAP allows authenticated users with Resource Administrator or Administrator roles to download sensitive files, with unsupported software versions not evaluated.
4.9 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in BIG-IP and BIG-IQ systems allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects and execute arbitrary commands, excluding versions past End of Technical Support.
8.7 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in an undisclosed TMOS Shell (tmsh) command in BIG-IP DNS may allow a highly privileged authenticated attacker to view sensitive information.
4.4 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Configuring an HTTP/2 profile with an iRule using HTTP::redirect or HTTP::respond on a virtual server can cause the Traffic Management Microkernel (TMM) process to terminate due to certain request handling issues.
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A directory traversal vulnerability in BIG-IP SSL Orchestrator allows an authenticated high-privilege attacker to overwrite, delete, or corrupt arbitrary local files, affecting supported software versions.
4.9 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Configuring embedded Packet Velocity Acceleration (ePVA) can increase resource utilization in ePVA and Traffic Management Microkernel (TMM) due to undisclosed local ethernet traffic, with unsupported software versions not evaluated.
6.5 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
A vulnerability in BIG-IP systems allows an authenticated attacker with administrative access to escalate privileges and cross security boundaries, with unsupported software versions not evaluated.
6.7 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Configuring a Client SSL profile with Allow Dynamic Record Sizing on a UDP virtual server can cause the Traffic Management Microkernel (TMM) to terminate due to undisclosed traffic issues.
7.5 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
An authenticated attacker with Resource Administrator or Administrator roles can exploit iControl SOAP to create SNMP configuration objects, leading to privilege escalation.
8.7 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
An authenticated attacker with Administrator privileges may bypass Appliance mode restrictions on a BIG-IP system, including some unsupported software versions not evaluated.
8.7 (High)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
Incorrect permission assignment vulnerabilities in BIG-IP and BIG-IQ TMOS Shell arp and ndp commands, as well as in BIG-IP iControl REST, may allow an authenticated attacker to access adjacent network information.
6.5 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
F5 / AI Gateway
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP APM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP DNS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next CNF
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next SPK
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP Next for Kubernetes
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP PEM
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX110 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on BX520 blades on VELOS
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on all other rSeries systems
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r10000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r12000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IP tenants on r5000 rSeries
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / BIG-IQ Centralized Management
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Distributed Cloud (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / NGINX (all products)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-A
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / OS-C
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / SSL Orchestrator
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Silverline (all services)
|
vers:unknown/* | ||
|
vers:unknown/*
F5 / Traffix SDC
|
vers:unknown/* |
References
84 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "F5 heeft meerdere kwetsbaarheden verholpen in de BIG-IP en BIG-IQ productlijnen, inclusief componenten zoals iControl REST, iControl SOAP, TMOS Shell, Traffic Management Microkernel (TMM), Configuration utility, Advanced WAF, ASM, PEM, DNS, Access Policy Manager (APM) en SSL Orchestrator.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden betreffen onder andere directory traversal, ongeautoriseerde bestandswijzigingen, blootstelling van gevoelige SSH-wachtwoorden in API-responses en auditlogs, privilege escalatie via onjuiste permissie-toewijzingen, remote command injection, cross-account informatielekken, en onverwachte procesafsluitingen (zoals van TMM, httpd, apmd en bd processen) door specifieke configuraties of ongedocumenteerde verkeerspatronen.\n\nExploitatie vereist doorgaans geauthenticeerde toegang met rollen vari\u00ebrend van Manager, Resource Administrator tot Administrator, afhankelijk van de kwetsbaarheid. Sommige kwetsbaarheden maken het mogelijk om configuratieobjecten te wijzigen, wat kan leiden tot het uitvoeren van willekeurige commando\u0027s met verhoogde privileges.\n\nAndere kwetsbaarheden betreffen het lekken van gevoelige informatie via onjuiste toegangscontrole of onvoldoende validatie binnen managementinterfaces. Diverse kwetsbaarheden zijn specifiek voor Appliance mode of bepaalde configuratieprofielen zoals SSL, HTTP/2, SIP, LDAP authenticatie, en SNMP configuraties. De impact omvat onder meer het omzeilen van beveiligingscontroles, het escaleren van privileges, het lekken van gevoelige gegevens, en het verstoren van de beschikbaarheid en stabiliteit van netwerk- en applicatiebeheercomponenten. Niet-ondersteunde softwareversies zijn in de meeste gevallen niet ge\u00ebvalueerd voor deze kwetsbaarheden.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "F5 heeft updates uitgebracht om de kwetsbaarheden in de BIG-IP en BIG-IQ producten te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Path Traversal: \u0027.../...//\u0027",
"title": "CWE-35"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "general",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
},
{
"category": "general",
"text": "Stack-based Buffer Overflow",
"title": "CWE-121"
},
{
"category": "general",
"text": "Incorrect Calculation of Buffer Size",
"title": "CWE-131"
},
{
"category": "general",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "Execution with Unnecessary Privileges",
"title": "CWE-250"
},
{
"category": "general",
"text": "Unchecked Return Value",
"title": "CWE-252"
},
{
"category": "general",
"text": "Incorrect Privilege Assignment",
"title": "CWE-266"
},
{
"category": "general",
"text": "Privilege Defined With Unsafe Actions",
"title": "CWE-267"
},
{
"category": "general",
"text": "Least Privilege Violation",
"title": "CWE-272"
},
{
"category": "general",
"text": "Cleartext Storage of Sensitive Information",
"title": "CWE-312"
},
{
"category": "general",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "general",
"text": "Use After Free",
"title": "CWE-416"
},
{
"category": "general",
"text": "Unprotected Alternate Channel",
"title": "CWE-420"
},
{
"category": "general",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
},
{
"category": "general",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "Insertion of Sensitive Information into Log File",
"title": "CWE-532"
},
{
"category": "general",
"text": "Files or Directories Accessible to External Parties",
"title": "CWE-552"
},
{
"category": "general",
"text": "Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027)",
"title": "CWE-643"
},
{
"category": "general",
"text": "Incorrect Use of Privileged APIs",
"title": "CWE-648"
},
{
"category": "general",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Missing Release of Resource after Effective Lifetime",
"title": "CWE-772"
},
{
"category": "general",
"text": "Access of Uninitialized Pointer",
"title": "CWE-824"
},
{
"category": "general",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160975"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160979"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160981"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000161018"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000161022"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000161023"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000161040"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000161056"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000161107"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000149743"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000156581"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000156604"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000156761"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000156734"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000157895"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000157981"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000158038"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000158070"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000158082"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000158971"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000158978"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000158979"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000159021"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000159034"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160727"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160788"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160857"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160862"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160863"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160874"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160875"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160876"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160901"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160903"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160911"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160916"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160926"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160945"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160971"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160972"
},
{
"category": "external",
"summary": "Reference",
"url": "https://my.f5.com/manage/s/article/K000160973"
}
],
"title": "Kwetsbaarheden verholpen in F5 BIG-IP en BIG-IQ producten",
"tracking": {
"current_release_date": "2026-05-15T12:07:48.313135Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0162",
"initial_release_date": "2026-05-15T12:07:48.313135Z",
"revision_history": [
{
"date": "2026-05-15T12:07:48.313135Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "AI Gateway"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "BIG-IP"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "BIG-IP APM"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "BIG-IP Advanced WAF/ASM"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "BIG-IP DNS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "BIG-IP Next CNF"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-8"
}
}
],
"category": "product_name",
"name": "BIG-IP Next SPK"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-9"
}
}
],
"category": "product_name",
"name": "BIG-IP Next for Kubernetes"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-10"
}
}
],
"category": "product_name",
"name": "BIG-IP PEM"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-11"
}
}
],
"category": "product_name",
"name": "BIG-IP SSL Orchestrator"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-12"
}
}
],
"category": "product_name",
"name": "BIG-IP tenants on BX110 blades on VELOS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-13"
}
}
],
"category": "product_name",
"name": "BIG-IP tenants on BX520 blades on VELOS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-14"
}
}
],
"category": "product_name",
"name": "BIG-IP tenants on all other rSeries systems"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-15"
}
}
],
"category": "product_name",
"name": "BIG-IP tenants on r10000 rSeries"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-16"
}
}
],
"category": "product_name",
"name": "BIG-IP tenants on r12000 rSeries"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-17"
}
}
],
"category": "product_name",
"name": "BIG-IP tenants on r5000 rSeries"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-18"
}
}
],
"category": "product_name",
"name": "BIG-IQ"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-19"
}
}
],
"category": "product_name",
"name": "BIG-IQ Centralized Management"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-20"
}
}
],
"category": "product_name",
"name": "Distributed Cloud (all services)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-21"
}
}
],
"category": "product_name",
"name": "NGINX (all products)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-22"
}
}
],
"category": "product_name",
"name": "OS-A"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-23"
}
}
],
"category": "product_name",
"name": "OS-C"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-24"
}
}
],
"category": "product_name",
"name": "SSL Orchestrator"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-25"
}
}
],
"category": "product_name",
"name": "Silverline (all services)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-26"
}
}
],
"category": "product_name",
"name": "Traffix SDC"
}
],
"category": "vendor",
"name": "F5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-24464",
"cwe": {
"id": "CWE-35",
"name": "Path Traversal: \u0027.../...//\u0027"
},
"notes": [
{
"category": "other",
"text": "Path Traversal: \u0027.../...//\u0027",
"title": "CWE-35"
},
{
"category": "description",
"text": "A directory traversal vulnerability in an undisclosed iControl REST endpoint in Appliance mode may allow an authenticated administrator to bypass security boundaries and delete files.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-24464 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-24464.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-24464"
},
{
"cve": "CVE-2026-28758",
"cwe": {
"id": "CWE-312",
"name": "Cleartext Storage of Sensitive Information"
},
"notes": [
{
"category": "other",
"text": "Cleartext Storage of Sensitive Information",
"title": "CWE-312"
},
{
"category": "description",
"text": "A vulnerability in BIG-IP DNS\u0027s gtm_add and bigip_add iControl REST commands exposes the ssh-password parameter in cleartext within responses and audit logs, risking sensitive information disclosure to highly privileged attackers.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-28758 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-28758.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-28758"
},
{
"cve": "CVE-2026-32643",
"cwe": {
"id": "CWE-250",
"name": "Execution with Unnecessary Privileges"
},
"notes": [
{
"category": "other",
"text": "Execution with Unnecessary Privileges",
"title": "CWE-250"
},
{
"category": "description",
"text": "A vulnerability in BIG-IP and BIG-IQ systems allows a highly privileged, authenticated attacker with at least the Certificate Manager role to modify configuration objects and execute arbitrary commands, excluding versions past End of Technical Support.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-32643 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-32643.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-32643"
},
{
"cve": "CVE-2026-32673",
"cwe": {
"id": "CWE-250",
"name": "Execution with Unnecessary Privileges"
},
"notes": [
{
"category": "other",
"text": "Execution with Unnecessary Privileges",
"title": "CWE-250"
},
{
"category": "description",
"text": "A vulnerability in BIG-IP scripted monitors allows authenticated users with Resource Administrator or Administrator roles to execute arbitrary system commands with elevated privileges, potentially crossing security boundaries in appliance mode.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-32673 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-32673.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-32673"
},
{
"cve": "CVE-2026-34176",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "description",
"text": "An authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint in Appliance mode, potentially allowing an attacker to cross security boundaries.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-34176 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-34176.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-34176"
},
{
"cve": "CVE-2026-35062",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"notes": [
{
"category": "other",
"text": "Incorrect Privilege Assignment",
"title": "CWE-266"
},
{
"category": "description",
"text": "An authenticated iControl SOAP user may be able to access or obtain information from other accounts, with versions past End of Technical Support not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-35062 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-35062.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-35062"
},
{
"cve": "CVE-2026-39455",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "other",
"text": "Missing Release of Resource after Effective Lifetime",
"title": "CWE-772"
},
{
"category": "description",
"text": "Configuring the BIG-IP Configuration utility to use LDAP authentication can cause the httpd process to exhaust available file descriptors due to undisclosed traffic, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-39455 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-39455.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-39455"
},
{
"cve": "CVE-2026-39458",
"cwe": {
"id": "CWE-824",
"name": "Access of Uninitialized Pointer"
},
"notes": [
{
"category": "other",
"text": "Access of Uninitialized Pointer",
"title": "CWE-824"
},
{
"category": "description",
"text": "Enabling a BIG-IP DNS profile with DNS cache on a virtual server can cause the Traffic Management Microkernel (TMM) to terminate due to undisclosed traffic, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-39458 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-39458.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-39458"
},
{
"cve": "CVE-2026-39459",
"cwe": {
"id": "CWE-272",
"name": "Least Privilege Violation"
},
"notes": [
{
"category": "other",
"text": "Least Privilege Violation",
"title": "CWE-272"
},
{
"category": "description",
"text": "A vulnerability in iControl REST and TMOS Shell (tmsh) allows a highly privileged, authenticated attacker with at least Manager role to create configuration objects that enable execution of arbitrary commands.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-39459 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-39459.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-39459"
},
{
"cve": "CVE-2026-40060",
"cwe": {
"id": "CWE-252",
"name": "Unchecked Return Value"
},
"notes": [
{
"category": "other",
"text": "Unchecked Return Value",
"title": "CWE-252"
},
{
"category": "description",
"text": "Certain undisclosed requests can cause the bd process to terminate when a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40060 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40060.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40060"
},
{
"cve": "CVE-2026-40061",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
},
{
"category": "description",
"text": "A vulnerability in BIG-IP DNS allows authenticated Resource Administrator or Administrator users to execute arbitrary system commands with elevated privileges, potentially crossing security boundaries in Appliance mode.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40061 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40061.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40061"
},
{
"cve": "CVE-2026-40067",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "other",
"text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"title": "CWE-120"
},
{
"category": "description",
"text": "Configuring a BIG-IP APM access policy on a virtual server can cause the apmd process to terminate due to undisclosed traffic, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40067 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40067.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40067"
},
{
"cve": "CVE-2026-40423",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Configuring a SIP profile on a virtual server can cause the Traffic Management Microkernel (TMM) to terminate due to undisclosed traffic, with issues noted in software versions beyond End of Technical Support (EoTS).",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40423 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40423.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40423"
},
{
"cve": "CVE-2026-40435",
"cwe": {
"id": "CWE-420",
"name": "Unprotected Alternate Channel"
},
"notes": [
{
"category": "other",
"text": "Unprotected Alternate Channel",
"title": "CWE-420"
},
{
"category": "description",
"text": "IP-based access restrictions configured for httpd do not apply to all endpoints, potentially allowing connections from blocked IP addresses, except in versions that have reached End of Technical Support.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40435 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40435.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40435"
},
{
"cve": "CVE-2026-40462",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "other",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "description",
"text": "Incorrect permission assignment vulnerabilities in iControl REST and TMOS Shell (tmsh) undisclosed commands may allow authenticated attackers to access sensitive information.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40462 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40462.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40462"
},
{
"cve": "CVE-2026-40618",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"notes": [
{
"category": "other",
"text": "Incorrect Calculation of Buffer Size",
"title": "CWE-131"
},
{
"category": "description",
"text": "Configuring an SSL profile on BIG-IP Virtual Edition without Intel QAT or on hardware with crypto.hwacceleration disabled can cause the Traffic Management Microkernel (TMM) to terminate when processing certain undisclosed traffic.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40618 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40618.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40618"
},
{
"cve": "CVE-2026-40629",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Configuring SSL profiles on a virtual server can cause the server to stop processing new client connections when handling undisclosed traffic, with versions beyond End of Technical Support not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40629 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40629.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40629"
},
{
"cve": "CVE-2026-40631",
"cwe": {
"id": "CWE-552",
"name": "Files or Directories Accessible to External Parties"
},
"notes": [
{
"category": "other",
"text": "Files or Directories Accessible to External Parties",
"title": "CWE-552"
},
{
"category": "description",
"text": "An authenticated attacker with Resource Administrator or Administrator roles can exploit iControl SOAP to modify configuration objects and escalate privileges, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40631 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40631.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40631"
},
{
"cve": "CVE-2026-40698",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
},
{
"category": "description",
"text": "A vulnerability in F5 BIG-IP and BIG-IQ systems allows a highly privileged, authenticated attacker with Resource Administrator role to create SNMP configuration objects via iControl REST or TMOS shell, resulting in privilege escalation.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40698 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40698.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40698"
},
{
"cve": "CVE-2026-40699",
"cwe": {
"id": "CWE-643",
"name": "Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Data within XPath Expressions (\u0027XPath Injection\u0027)",
"title": "CWE-643"
},
{
"category": "description",
"text": "A vulnerability in undisclosed pages of the Configuration utility may allow a low-privileged authenticated attacker to access sensitive information, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40699 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40699.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40699"
},
{
"cve": "CVE-2026-40703",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"notes": [
{
"category": "other",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility, with versions that have reached End of Technical Support (EoTS) not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-40703 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-40703.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-40703"
},
{
"cve": "CVE-2026-41217",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "other",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "description",
"text": "A vulnerability in an undisclosed BIG-IP TMOS Shell command allows authenticated users with resource administrator or administrator roles to execute arbitrary system commands with elevated privileges, potentially crossing security boundaries in Appliance mode.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-41217 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-41217.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.9,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-41217"
},
{
"cve": "CVE-2026-41218",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
},
{
"category": "description",
"text": "Configuring BIG-IP PEM iRules with certain commands on a virtual server can cause the Traffic Management Microkernel (TMM) to terminate, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-41218 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-41218.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-41218"
},
{
"cve": "CVE-2026-41219",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"notes": [
{
"category": "other",
"text": "Insertion of Sensitive Information into Log File",
"title": "CWE-532"
},
{
"category": "description",
"text": "An improper sanitization vulnerability in the BIG-IP QKView utility allows low-privileged attackers to read sensitive information from QKView files, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-41219 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-41219.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-41219"
},
{
"cve": "CVE-2026-41225",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"notes": [
{
"category": "other",
"text": "Incorrect Use of Privileged APIs",
"title": "CWE-648"
},
{
"category": "description",
"text": "A vulnerability in iControl REST allows a highly privileged, authenticated attacker with at least Manager role to create configuration objects that enable arbitrary command execution.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-41225 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-41225.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-41225"
},
{
"cve": "CVE-2026-41227",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Certain undisclosed traffic on an HTTP/2 virtual server with Layer 7 DoS Protection can increase memory usage and cause the Traffic Management Microkernel (TMM) process to terminate.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-41227 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-41227.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-41227"
},
{
"cve": "CVE-2026-41953",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
},
{
"category": "description",
"text": "A vulnerability in BIG-IP systems enables a highly privileged, authenticated attacker with at least Resource Administrator role to modify configuration objects, resulting in privilege escalation.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-41953 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-41953.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-41953"
},
{
"cve": "CVE-2026-41954",
"notes": [
{
"category": "description",
"text": "A sensitive information disclosure vulnerability in an undisclosed iControl REST endpoint and TMOS Shell (tmsh) command may allow an authenticated attacker with resource administrator privileges to access sensitive information.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-41954 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-41954.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-41954"
},
{
"cve": "CVE-2026-41956",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "other",
"text": "Stack-based Buffer Overflow",
"title": "CWE-121"
},
{
"category": "description",
"text": "Configuring a classification profile on a UDP virtual server can cause the Traffic Management Microkernel (TMM) to terminate upon receiving certain undisclosed requests, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-41956 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-41956.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-41956"
},
{
"cve": "CVE-2026-41957",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "other",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "description",
"text": "An authenticated remote code execution vulnerability exists in the BIG-IP and BIG-IQ Configuration utility through undisclosed vectors, excluding software versions that have reached End of Technical Support.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-41957 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-41957.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-41957"
},
{
"cve": "CVE-2026-41959",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "other",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "description",
"text": "Incorrect permission assignment vulnerabilities in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and BIG-IP iControl REST may allow authenticated attackers to view network status of destination systems.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-41959 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-41959.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-41959"
},
{
"cve": "CVE-2026-42058",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "other",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "description",
"text": "An authenticated attacker can exploit undisclosed requests to BIG-IP iControl REST to leak local user account names, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42058 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42058.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42058"
},
{
"cve": "CVE-2026-42063",
"cwe": {
"id": "CWE-552",
"name": "Files or Directories Accessible to External Parties"
},
"notes": [
{
"category": "other",
"text": "Files or Directories Accessible to External Parties",
"title": "CWE-552"
},
{
"category": "description",
"text": "A vulnerability in iControl SOAP allows authenticated users with Resource Administrator or Administrator roles to download sensitive files, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42063 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42063.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42063"
},
{
"cve": "CVE-2026-42406",
"cwe": {
"id": "CWE-267",
"name": "Privilege Defined With Unsafe Actions"
},
"notes": [
{
"category": "other",
"text": "Privilege Defined With Unsafe Actions",
"title": "CWE-267"
},
{
"category": "description",
"text": "A vulnerability in BIG-IP and BIG-IQ systems allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects and execute arbitrary commands, excluding versions past End of Technical Support.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42406 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42406.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42406"
},
{
"cve": "CVE-2026-42408",
"cwe": {
"id": "CWE-312",
"name": "Cleartext Storage of Sensitive Information"
},
"notes": [
{
"category": "other",
"text": "Cleartext Storage of Sensitive Information",
"title": "CWE-312"
},
{
"category": "description",
"text": "A vulnerability in an undisclosed TMOS Shell (tmsh) command in BIG-IP DNS may allow a highly privileged authenticated attacker to view sensitive information.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42408 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42408.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42408"
},
{
"cve": "CVE-2026-42409",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
},
{
"category": "description",
"text": "Configuring an HTTP/2 profile with an iRule using HTTP::redirect or HTTP::respond on a virtual server can cause the Traffic Management Microkernel (TMM) process to terminate due to certain request handling issues.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42409 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42409.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42409"
},
{
"cve": "CVE-2026-42780",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "description",
"text": "A directory traversal vulnerability in BIG-IP SSL Orchestrator allows an authenticated high-privilege attacker to overwrite, delete, or corrupt arbitrary local files, affecting supported software versions.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42780 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42780.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42780"
},
{
"cve": "CVE-2026-42781",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "other",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
},
{
"category": "description",
"text": "Configuring embedded Packet Velocity Acceleration (ePVA) can increase resource utilization in ePVA and Traffic Management Microkernel (TMM) due to undisclosed local ethernet traffic, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42781 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42781.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42781"
},
{
"cve": "CVE-2026-42919",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "other",
"text": "Stack-based Buffer Overflow",
"title": "CWE-121"
},
{
"category": "description",
"text": "A vulnerability in BIG-IP systems allows an authenticated attacker with administrative access to escalate privileges and cross security boundaries, with unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42919 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42919.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42919"
},
{
"cve": "CVE-2026-42920",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "other",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
},
{
"category": "description",
"text": "Configuring a Client SSL profile with Allow Dynamic Record Sizing on a UDP virtual server can cause the Traffic Management Microkernel (TMM) to terminate due to undisclosed traffic issues.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42920 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42920.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42920"
},
{
"cve": "CVE-2026-42924",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "description",
"text": "An authenticated attacker with Resource Administrator or Administrator roles can exploit iControl SOAP to create SNMP configuration objects, leading to privilege escalation.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42924 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42924.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42924"
},
{
"cve": "CVE-2026-42930",
"cwe": {
"id": "CWE-35",
"name": "Path Traversal: \u0027.../...//\u0027"
},
"notes": [
{
"category": "other",
"text": "Path Traversal: \u0027.../...//\u0027",
"title": "CWE-35"
},
{
"category": "description",
"text": "An authenticated attacker with Administrator privileges may bypass Appliance mode restrictions on a BIG-IP system, including some unsupported software versions not evaluated.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42930 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42930.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42930"
},
{
"cve": "CVE-2026-42937",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "other",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "description",
"text": "Incorrect permission assignment vulnerabilities in BIG-IP and BIG-IQ TMOS Shell arp and ndp commands, as well as in BIG-IP iControl REST, may allow an authenticated attacker to access adjacent network information.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-42937 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-42937.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21",
"CSAFPID-22",
"CSAFPID-23",
"CSAFPID-24",
"CSAFPID-25",
"CSAFPID-26"
]
}
],
"title": "CVE-2026-42937"
}
]
}
GHSA-M5RW-FQ84-2JG3
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30
VLAI?
Details
Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity ?
{
"affected": [],
"aliases": [
"CVE-2026-40462"
],
"database_specific": {
"cwe_ids": [
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T16:16:42Z",
"severity": "HIGH"
},
"details": "Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-m5rw-fq84-2jg3",
"modified": "2026-05-13T18:30:55Z",
"published": "2026-05-13T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40462"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000156581"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
CERTFR-2026-AVI-0591
Vulnerability from certfr_avis - Published: 2026-05-15 - Updated: 2026-05-15
De multiples vulnérabilités ont été découvertes dans les produits F5. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| F5 | N/A | BIG-IP APM versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP DNS versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP Advanced WAF/ASM versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | BIG-IP | BIG-IP versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | BIG-IP Next | BIG-IP Next for Kubernetes versions 2.x antérieures à 2.2.0 | ||
| F5 | NGINX | F5 DoS for NGINX versions 4.8.0 | ||
| F5 | BIG-IP | BIG-IP versions 16.1.0 à 16.1.6 antérieures à 17.1.3 | ||
| F5 | N/A | BIG-IP DNS versions 17.5.0 à 17.5.1 antérieures à 21.0.0 | ||
| F5 | BIG-IP Next | BIG-IP Next SPK versions 1.7.0 à 1.7.16 antérieures à 1.7.17 | ||
| F5 | BIG-IP | BIG-IP versions 21.0.x antérieures à 21.0.0.2 | ||
| F5 | N/A | BIG-IP SSL Orchestrator versions 21.0.0 antérieures à 21.0.0.1 (SSL Orchestrator 13.1.3) | ||
| F5 | BIG-IP Next | BIG-IP Next SPK versions 2.0.0 à 2.0.2 antérieures à 2.0.3 | ||
| F5 | NGINX | NGINX Open Source versions 1.0.0 à 1.30.0 antérieures à 1.30.1 | ||
| F5 | N/A | BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | NGINX | NGINX Gateway Fabric versions 1.3.0 à 1.6.2 | ||
| F5 | BIG-IP Next | BIG-IP Next CNF versions 2.0.0 à 2.0.2 antérieures à 2.0.3 | ||
| F5 | NGINX | NGINX App Protect DoS versions 4.3.0 à 4.7.0 | ||
| F5 | N/A | BIG-IP APM versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | NGINX | NGINX App Protect WAF versions 4.9.0 à 4.16.0 | ||
| F5 | N/A | BIG-IP SSL Orchestrator versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 (SSL Orchestrator 12.3.2) | ||
| F5 | NGINX | NGINX Ingress Controller versions 5.0.0 à 5.4.2 | ||
| F5 | BIG-IP | BIG-IP versions 17.5.0 à 17.5.1 antérieures à 21.0.0.2 | ||
| F5 | NGINX | NGINX Ingress Controller versions 3.5.0 à 3.7.2 | ||
| F5 | NGINX | NGINX Open Source versions 0.3.50 à 0.9.7 antérieures à 1.30.1 | ||
| F5 | N/A | BIG-IP DNS versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | NGINX | NGINX Instance Manager versions 2.16.0 à 2.21.1 | ||
| F5 | N/A | BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | NGINX | NGINX Plus versions R36 antérieures à R36 P4 | ||
| F5 | BIG-IQ | BIG-IQ Centralized Management versions 8.4.0 antérieures à 8.4.1 | ||
| F5 | N/A | BIG-IP SSL Orchestrator versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 (SSL Orchestrator 12.3.2) | ||
| F5 | BIG-IP Next | BIG-IP Next CNF versions 1.1.0 à 1.4.0 antérieures à 1.4.1 | ||
| F5 | NGINX | NGINX App Protect WAF versions 5.1.0 à 5.8.0 | ||
| F5 | NGINX | NGINX Gateway Fabric versions 2.0.0 à 2.6.0 | ||
| F5 | NGINX | NGINX Ingress Controller versions 4.0.0 à 4.0.1 | ||
| F5 | N/A | BIG-IP PEM versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP APM versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | N/A | BIG-IP DNS versions 16.1.0 à 16.1.6 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP PEM versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | N/A | BIG-IP Advanced WAF/ASM versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | N/A | BIG-IP Advanced WAF/ASM versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | N/A | BIG-IP PEM versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | NGINX | NGINX Plus versions R32 antérieures à R32 P6 | ||
| F5 | NGINX | F5 WAF for NGINX versions 5.9.0 à 5.12.1 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "BIG-IP APM versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Advanced WAF/ASM versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next for Kubernetes versions 2.x ant\u00e9rieures \u00e0 2.2.0",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "F5 DoS for NGINX versions 4.8.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 16.1.0 \u00e0 16.1.6 ant\u00e9rieures \u00e0 17.1.3",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 21.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next SPK versions 1.7.0 \u00e0 1.7.16 ant\u00e9rieures \u00e0 1.7.17",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.2",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP SSL Orchestrator versions 21.0.0 ant\u00e9rieures \u00e0 21.0.0.1 (SSL Orchestrator 13.1.3)",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next SPK versions 2.0.0 \u00e0 2.0.2 ant\u00e9rieures \u00e0 2.0.3",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Open Source versions 1.0.0 \u00e0 1.30.0 ant\u00e9rieures \u00e0 1.30.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Gateway Fabric versions 1.3.0 \u00e0 1.6.2",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next CNF versions 2.0.0 \u00e0 2.0.2 ant\u00e9rieures \u00e0 2.0.3",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX App Protect DoS versions 4.3.0 \u00e0 4.7.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP APM versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX App Protect WAF versions 4.9.0 \u00e0 4.16.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP SSL Orchestrator versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1 (SSL Orchestrator 12.3.2)",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Ingress Controller versions 5.0.0 \u00e0 5.4.2",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 21.0.0.2",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Ingress Controller versions 3.5.0 \u00e0 3.7.2",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Open Source versions 0.3.50 \u00e0 0.9.7 ant\u00e9rieures \u00e0 1.30.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Instance Manager versions 2.16.0 \u00e0 2.21.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Plus versions R36 ant\u00e9rieures \u00e0 R36 P4",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IQ Centralized Management versions 8.4.0 ant\u00e9rieures \u00e0 8.4.1",
"product": {
"name": "BIG-IQ",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP SSL Orchestrator versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4 (SSL Orchestrator 12.3.2)",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next CNF versions 1.1.0 \u00e0 1.4.0 ant\u00e9rieures \u00e0 1.4.1",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX App Protect WAF versions 5.1.0 \u00e0 5.8.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Gateway Fabric versions 2.0.0 \u00e0 2.6.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Ingress Controller versions 4.0.0 \u00e0 4.0.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP PEM versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP APM versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 16.1.0 \u00e0 16.1.6 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP PEM versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Advanced WAF/ASM versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Advanced WAF/ASM versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP PEM versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Plus versions R32 ant\u00e9rieures \u00e0 R32 P6",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "F5 WAF for NGINX versions 5.9.0 \u00e0 5.12.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-41227",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41227"
},
{
"name": "CVE-2026-39458",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39458"
},
{
"name": "CVE-2026-42781",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42781"
},
{
"name": "CVE-2026-42780",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42780"
},
{
"name": "CVE-2026-40701",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40701"
},
{
"name": "CVE-2026-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42920"
},
{
"name": "CVE-2026-42409",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42409"
},
{
"name": "CVE-2026-42946",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42946"
},
{
"name": "CVE-2026-42937",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42937"
},
{
"name": "CVE-2026-42919",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42919"
},
{
"name": "CVE-2026-42934",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42934"
},
{
"name": "CVE-2026-42406",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42406"
},
{
"name": "CVE-2026-40435",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40435"
},
{
"name": "CVE-2026-34176",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34176"
},
{
"name": "CVE-2026-40629",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40629"
},
{
"name": "CVE-2026-32673",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32673"
},
{
"name": "CVE-2026-41953",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41953"
},
{
"name": "CVE-2026-40061",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40061"
},
{
"name": "CVE-2026-42924",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42924"
},
{
"name": "CVE-2026-41225",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41225"
},
{
"name": "CVE-2026-35062",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35062"
},
{
"name": "CVE-2026-40423",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40423"
},
{
"name": "CVE-2026-34019",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34019"
},
{
"name": "CVE-2026-42926",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42926"
},
{
"name": "CVE-2026-20916",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-20916"
},
{
"name": "CVE-2026-41957",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41957"
},
{
"name": "CVE-2026-39455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39455"
},
{
"name": "CVE-2026-40618",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40618"
},
{
"name": "CVE-2026-40631",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40631"
},
{
"name": "CVE-2026-32643",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32643"
},
{
"name": "CVE-2026-41217",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41217"
},
{
"name": "CVE-2026-40698",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40698"
},
{
"name": "CVE-2026-39459",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39459"
},
{
"name": "CVE-2026-40703",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40703"
},
{
"name": "CVE-2026-28758",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-28758"
},
{
"name": "CVE-2026-41954",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41954"
},
{
"name": "CVE-2026-40699",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40699"
},
{
"name": "CVE-2026-40462",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40462"
},
{
"name": "CVE-2026-41219",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41219"
},
{
"name": "CVE-2026-24464",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24464"
},
{
"name": "CVE-2026-40067",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40067"
},
{
"name": "CVE-2026-42063",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42063"
},
{
"name": "CVE-2026-42408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42408"
},
{
"name": "CVE-2026-40060",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40060"
},
{
"name": "CVE-2026-42945",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42945"
},
{
"name": "CVE-2026-41956",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41956"
},
{
"name": "CVE-2026-41218",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41218"
},
{
"name": "CVE-2026-41959",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41959"
},
{
"name": "CVE-2026-42930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42930"
},
{
"name": "CVE-2026-40460",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40460"
},
{
"name": "CVE-2026-42058",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42058"
}
],
"initial_release_date": "2026-05-15T00:00:00",
"last_revision_date": "2026-05-15T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0591",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-15T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits F5. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits F5",
"vendor_advisories": [
{
"published_at": "2026-05-13",
"title": "Bulletin de s\u00e9curit\u00e9 F5 K000160932",
"url": "https://my.f5.com/manage/s/article/K000160932"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…