CVE-2026-41954

MEDIUM EPSS 21.1%

Published May 13, 20261mo ago · Modified Jun 24, 20265d ago

6.9 CVSS 4.0

Medium

Published May 13, 2026 1mo ago

Last Modified Jun 24, 2026 5d ago

Description

Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Details

Base Score

6.9

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

21.1% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 85

Vendor	Product	Version	Range
f5	big-ip_access_policy_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_access_policy_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_advanced_firewall_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_advanced_firewall_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_advanced_web_application_firewall	*	≥17.1.0 – ≤17.1.3
f5	big-ip_advanced_web_application_firewall	*	≥17.5.0 – ≤17.5.1
f5	big-ip_analytics	*	≥17.1.0 – ≤17.1.3
f5	big-ip_analytics	*	≥17.5.0 – ≤17.5.1
f5	big-ip_application_acceleration_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_application_acceleration_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_application_security_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_application_security_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_application_visibility_and_reporting	*	≥17.1.0 – ≤17.1.3
f5	big-ip_application_visibility_and_reporting	*	≥17.5.0 – ≤17.5.1
f5	big-ip_automation_toolchain	*	≥17.1.0 – ≤17.1.3
f5	big-ip_automation_toolchain	*	≥17.5.0 – ≤17.5.1
f5	big-ip_carrier-grade_nat	*	≥17.1.0 – ≤17.1.3
f5	big-ip_carrier-grade_nat	*	≥17.5.0 – ≤17.5.1
f5	big-ip_container_ingress_services	*	≥17.1.0 – ≤17.1.3
f5	big-ip_container_ingress_services	*	≥17.5.0 – ≤17.5.1
f5	big-ip_ddos_hybrid_defender	*	≥17.1.0 – ≤17.1.3
f5	big-ip_ddos_hybrid_defender	*	≥17.5.0 – ≤17.5.1
f5	big-ip_domain_name_system	*	≥17.1.0 – ≤17.1.3
f5	big-ip_domain_name_system	*	≥17.5.0 – ≤17.5.1
f5	big-ip_edge_gateway	*	≥17.1.0 – ≤17.1.3
f5	big-ip_edge_gateway	*	≥17.5.0 – ≤17.5.1
f5	big-ip_fraud_protection_service	*	≥17.1.0 – ≤17.1.3
f5	big-ip_fraud_protection_service	*	≥17.5.0 – ≤17.5.1
f5	big-ip_global_traffic_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_global_traffic_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_link_controller	*	≥17.1.0 – ≤17.1.3
f5	big-ip_link_controller	*	≥17.5.0 – ≤17.5.1
f5	big-ip_local_traffic_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_local_traffic_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_policy_enforcement_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_policy_enforcement_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_ssl_orchestrator	*	≥17.1.0 – ≤17.1.3
f5	big-ip_ssl_orchestrator	*	≥17.5.0 – ≤17.5.1
f5	big-ip_webaccelerator	*	≥17.1.0 – ≤17.1.3
f5	big-ip_webaccelerator	*	≥17.5.0 – ≤17.5.1
f5	big-ip_websafe	*	≥17.1.0 – ≤17.1.3
f5	big-ip_websafe	*	≥17.5.0 – ≤17.5.1
f5	big-ip_access_policy_manager	21.0.0	any
f5	big-ip_advanced_firewall_manager	21.0.0	any
f5	big-ip_advanced_web_application_firewall	21.0.0	any
f5	big-ip_analytics	21.0.0	any
f5	big-ip_application_acceleration_manager	21.0.0	any
f5	big-ip_application_security_manager	21.0.0	any
f5	big-ip_application_visibility_and_reporting	21.0.0	any
f5	big-ip_automation_toolchain	21.0.0	any
f5	big-ip_carrier-grade_nat	21.0.0	any
f5	big-ip_container_ingress_services	21.0.0	any
f5	big-ip_ddos_hybrid_defender	21.0.0	any
f5	big-ip_domain_name_system	21.0.0	any
f5	big-ip_edge_gateway	21.0.0	any
f5	big-ip_fraud_protection_service	21.0.0	any
f5	big-ip_global_traffic_manager	21.0.0	any
f5	big-ip_link_controller	21.0.0	any
f5	big-ip_local_traffic_manager	21.0.0	any
f5	big-ip_policy_enforcement_manager	21.0.0	any
f5	big-ip_ssl_orchestrator	21.0.0	any
f5	big-ip_webaccelerator	21.0.0	any
f5	big-ip_websafe	21.0.0	any
f5	big-iq_centralized_management	8.4.0	any
f5	big-ip_access_policy_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_advanced_firewall_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_advanced_web_application_firewall	*	≥16.1.0 – ≤16.1.6
f5	big-ip_analytics	*	≥16.1.0 – ≤16.1.6
f5	big-ip_application_acceleration_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_application_security_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_application_visibility_and_reporting	*	≥16.1.0 – ≤16.1.6
f5	big-ip_automation_toolchain	*	≥16.1.0 – ≤16.1.6
f5	big-ip_carrier-grade_nat	*	≥16.1.0 – ≤16.1.6
f5	big-ip_container_ingress_services	*	≥16.1.0 – ≤16.1.6
f5	big-ip_ddos_hybrid_defender	*	≥16.1.0 – ≤16.1.6
f5	big-ip_domain_name_system	*	≥16.1.0 – ≤16.1.6
f5	big-ip_edge_gateway	*	≥16.1.0 – ≤16.1.6
f5	big-ip_fraud_protection_service	*	≥16.1.0 – ≤16.1.6
f5	big-ip_global_traffic_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_link_controller	*	≥16.1.0 – ≤16.1.6
f5	big-ip_local_traffic_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_policy_enforcement_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_ssl_orchestrator	*	≥16.1.0 – ≤16.1.6
f5	big-ip_webaccelerator	*	≥16.1.0 – ≤16.1.6
f5	big-ip_websafe	*	≥16.1.0 – ≤16.1.6

References 1

my.f5.com https://my.f5.com/manage/s/article/K32950402

MitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.