Reporter Brandon Perry
Linked below is an advisory regarding remote command execution (as root,
possibly) vulnerabilities within the iControl API:
An example request that will set the hostname to 'root.example.com':
<?xml version="1.0" encoding="ISO-8859-1"?>
This was responsibly disclosed to F5 on the 7th of February. If you
would like the full communication timeline, feel free to ask.