EUVD-2026-29993

An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

CVE-2026-41225

A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

CVE-2026-41959 iControl and tmsh REST vulnerability

Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell tmsh network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems. Note: Software versions which have...

CVE-2026-42058

An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

CVE-2026-41954

CVE-2026-41954 affects F5 BIG-IP/iControl REST and tmsh. An authenticated resource administrator can view sensitive information via crafted requests (remote iControl REST or local tmsh). The F5 advisory lists affected branches: BIG-IP 21.x (vulnerable at 21.0.0; fix 21.0.0.1), 17.x (various sub-b...

F5 BIG-IP Elevation of Privilege Vulnerability

F5 BIG-IP is an application delivery platform from F5 that integrates network traffic orchestration, load balancing, intelligent DNS, and remote access policy management. An elevation of privilege vulnerability exists in the BIG-IP's iControl REST and TMOS Shell tmsh modules. The vulnerability...

CVE-2025-59481

A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell tmsh command that may allow an authenticated attacker with at least resource administrator role to execute arbitrary system commands with higher privileges. A successful exploit can allow the attacker to cross a security...

CVE-2025-59481 BIG-IP iControl REST and tmsh vulnerability

A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell tmsh command that may allow an authenticated attacker with at least resource administrator role to execute arbitrary system commands with higher privileges. A successful exploit can allow the attacker to cross a security...

PT-2024-29539 · F5 · F5 Big-Ip

Name of the Vulnerable Software and Affected Versions: F5 BIG-IP affected versions not specified Description: Undisclosed requests to BIG-IP iControl REST can lead to information leak of user account names. Note that software versions which have reached End of Technical Support EoTS are not...

CVE-2023-29240

An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ can upload arbitrary files using an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

CVE-2022-41622

In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery CSRF attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

F5 BIG-IP iControl Cross Site Request Forgery

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'F5 BIG-IP iControl CSRF File Write SOAP API', 'Description' = %q This module exploits a cross-site request forgery CSRF vulnerability in F5...

The vulnerability of the iControl REST API for BIG-IP application protection interfaces allows a attacker to execute arbitrary commands, disable arbitrary services, and create or delete arbitrary files.

The vulnerability of the iControl REST API for BIG-IP application protection interfaces is related to incorrect session duration settings. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands remotely, disable arbitrary services, and create or delete arbitrary file...

The vulnerability of the iControl REST API interface for access control and remote authentication, the BIG-IP Access Policy Manager, the virtual server for application protection, the BIG-IP Advanced Web Application Firewall, the BIG-IP Advanced Firewall Manager, the infrastructure status analysis tool, the BIG-IP Application Acceleration Manager, the DDoS protection module, the BIG-IP Fraud Protection Service, the Internet traffic balancing system, the BIG-IP Link Controller, and the local traffic balancing system – all of these allow a perpetrator to cause service interruptions.

The vulnerabilities of the iControl REST API interface for access control and remote authentication, the BIG-IP Access Policy Manager, the virtual server for application protection, the BIG-IP Advanced Web Application Firewall, the BIG-IP Advanced Firewall Manager, the infrastructure status...

The vulnerability of the iControl REST API for BIG-IP application protection interfaces allows a attacker to execute arbitrary commands, modify or delete files.

The vulnerability of the iControl REST API for BIG-IP application protection interfaces is related to the lack of authentication checks for a critical function. Exploiting this vulnerability allows an attacker to execute arbitrary commands, modify or delete files remotely...

CVE-2017-6167

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, race conditions in iControl REST may lead to commands being executed with different privilege levels than expected...

Multiple F5 Product Access Privilege Vulnerabilities

F5 BIG-IP LTM and so on are products of F5 Corporation in the U.S.A. F5 BIG-IP LTM is a local traffic manager; BIG-IP AAM is an application acceleration manager. iControl REST is one of the stateful display transport interfaces. A security vulnerability exists in iControl REST in several F5...