CVE-2026-42937

Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell tmsh arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information. Note: Software versions which have reached End of Technical...

CVE-2026-28758

When BIG-IP DNS is provisioned, a vulnerability exists in the gtmadd and bigipadd iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to...

F5 Networks BIG-IP : iControl REST and tmsh vulnerability (K000160863)

The version of F5 Networks BIG-IP installed on the remote host is prior to 17.1.3.2 / 17.5.1.6 / 21.0.0.2. It is, therefore, affected by a vulnerability as referenced in the K000160863 advisory. A vulnerability exists in iControl REST and the TMOS Shell tmsh where a highly privileged, authenticat...

F5 Networks BIG-IP : iControl REST and tmsh vulnerability (K000161018)

The version of F5 Networks BIG-IP installed on the remote host is prior to 17.1.3.2 / 17.5.1.6 / 21.0.0.2. It is, therefore, affected by a vulnerability as referenced in the K000161018 advisory. Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell...

EUVD-2026-29970

When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell tmsh command that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In Appliance mode...

EUVD-2026-29959

When BIG-IP DNS is provisioned, a vulnerability exists in the gtmadd and bigipadd iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to...

CVE-2026-40698

A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iControl REST or the TMOS shell tmsh resulting in privilege escalation. Note: Software versions which...

CVE-2026-28758

When BIG-IP DNS is provisioned, a vulnerability exists in the gtmadd and bigipadd iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to...

CVE-2026-41959

Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell tmsh network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems. Note: Software versions which have...

K000161018: iControl REST and tmsh vulnerability CVE-2026-42937

Security Advisory Description Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell tmsh arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information. CVE-2026-42937 Impact An...

PT-2026-40680

Name of the Vulnerable Software and Affected Versions BIG-IP affected versions not specified BIG-IQ affected versions not specified Description Incorrect permission assignment issues exist in the BIG-IP and BIG-IQ TMOS Shell tmsh 'arp' and 'ndp' commands, as well as in BIG-IP iControl REST. These...

EUVD-2023-46066

Malicious code in bioql PyPI...

CVE-2025-49584 XWiki makes title of inaccessible pages available through the class property values REST API

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...

CVE-2023-22326

In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, and all versions of BIG-IQ 8.x and 7.1.x, incorrect permission assignment vulnerabilities exist in the iControl REST and TMOS shell tmsh dig command which...

F5 BIG-IP 安全漏洞

F5 BIG-IP is an application delivery platform from F5 that integrates network traffic orchestration, load balancing, intelligent DNS, remote access policy management, etc. F5 iControl REST and TMSH have improper privilege management, and an authenticated attacker with resource administrator role...

CVE-2022-35243

In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.5.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, using an undisclosed iControl REST endpoint. ...

CVE-2022-26415

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance...

VulnCheck KEV: CVE-2021-22986

F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with network access to execute system commands, create or delete files, and disable services...

CVE-2019-6621

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin user. This issue impacts both...