F5 Networks

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any F5 Networks product.

RSS Feeds for F5 Networks security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in F5 Networks products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by F5 Networks Sorted by Most Security Vulnerabilities since 2018

F5 Networks Big Ip Access Policy Manager433 vulnerabilities

F5 Networks Big Ip Application Security Manager399 vulnerabilities

F5 Networks Big Ip Advanced Firewall Manager382 vulnerabilities

F5 Networks Big Ip Local Traffic Manager371 vulnerabilities

F5 Networks Big Ip Policy Enforcement Manager365 vulnerabilities

F5 Networks Big Ip Link Controller360 vulnerabilities

F5 Networks Big Ip Application Acceleration Manager359 vulnerabilities

F5 Networks Big Ip Analytics357 vulnerabilities

F5 Networks Big Ip Domain Name System346 vulnerabilities

F5 Networks Big Ip Global Traffic Manager346 vulnerabilities

F5 Networks Big Ip Fraud Protection Service318 vulnerabilities

F5 Networks Big Ip Webaccelerator173 vulnerabilities

F5 Networks Big Ip Edge Gateway166 vulnerabilities

F5 Networks Big Ip147 vulnerabilities

F5 Networks Big Ip Advanced Web Application Firewall105 vulnerabilities

F5 Networks Big Ip Ddos Hybrid Defender81 vulnerabilities

F5 Networks Big Iq Centralized Management68 vulnerabilities

F5 Networks Big Ip Ssl Orchestrator63 vulnerabilities

F5 Networks 57 vulnerabilities

F5 Networks Big Ip Websafe54 vulnerabilities

F5 Networks Nginx48 vulnerabilities

F5 Networks Njs39 vulnerabilities

F5 Networks Tomcat32 vulnerabilities

F5 Networks Traffix Signaling Delivery Controller29 vulnerabilities

F5 Networks Big Ip Application Visibility Reporting28 vulnerabilities

F5 Networks Big Ip Carrier Grade Nat28 vulnerabilities

F5 Networks Enterprise Manager27 vulnerabilities

F5 Networks Ssl Orchestrator27 vulnerabilities

F5 Networks Nginx Plus26 vulnerabilities

F5 Networks Nginx Open Source26 vulnerabilities

F5 Networks Big Ip Protocol Security Module21 vulnerabilities

F5 Networks Http Server18 vulnerabilities

F5 Networks Big Ip Access Policy Manager Client15 vulnerabilities

F5 Networks Big Ip Wan Optimization Manager10 vulnerabilities

F5 Networks Big Ip Next Service Proxy Kubernetes8 vulnerabilities

F5 Networks F5os A8 vulnerabilities

F5 Networks Big Ip Next Central Manager8 vulnerabilities

F5 Networks Java8 vulnerabilities

F5 Networks Nginx Ingress Controller8 vulnerabilities

F5 Networks F5os C7 vulnerabilities

F5 Networks Big Ip Container Ingress Services7 vulnerabilities

F5 Networks Mysql7 vulnerabilities

F5 Networks Big Ip Automation Toolchain6 vulnerabilities

F5 Networks Nginx Instance Manager6 vulnerabilities

F5 Networks Big Iq Security5 vulnerabilities

F5 Networks Big Iq Device5 vulnerabilities

F5 Networks Big Iq Cloud5 vulnerabilities

F5 Networks Big Ip Next Cloud Native Network Functions5 vulnerabilities

F5 Networks Big Ip Apm4 vulnerabilities

F5 Networks Big Ip Dns4 vulnerabilities

F5 Networks Big Ip Next3 vulnerabilities

F5 Networks Nginx Api Connectivity Manager3 vulnerabilities

F5 Networks Nginx Agent2 vulnerabilities

F5 Networks Solr2 vulnerabilities

F5 Networks Ofbiz1 vulnerability

F5 Networks Pulsar1 vulnerability

F5 Networks Nginx Unit1 vulnerability

F5 Networks Nginx Openid Connect1 vulnerability

F5 Networks Graalvm1 vulnerability

Recent F5 Networks Security Advisories

Advisory	Title	Published
K000161869	K000161869: PHP Laravel framework vulnerabilities CVE-2024-52301 and CVE-2018-15133	June 24, 2026
K000161864	K000161864: Spring WebFlux vulnerability CVE-2026-41847	June 23, 2026
K000161863	K000161863: runc vulnerabilities CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881	June 23, 2026
K000161852	K000161852: PHP vulnerabilities CVE-2025-1735 and CVE-2026-7258	June 23, 2026
K000161850	K000161850: urllib3 vulnerability CVE-2025-66471	June 23, 2026
K000161848	K000161848: PHP vulnerability CVE-2025-1220	June 23, 2026
K000161846	K000161846: Apache Thrift vulnerability CVE-2026-43870	June 23, 2026
K000161824	K000161824: Linux kernel vulnerability CVE-2026-23290	June 22, 2026
K000161823	K000161823: Linux kernel vulnerability CVE-2025-71095	June 22, 2026
K000161821	K000161821: Multiple Linux kernel vulnerabilities	June 22, 2026

Known Exploited F5 Networks Vulnerabilities

The following F5 Networks vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
F5 BIG-IP Unspecified Vulnerability	F5 BIG-IP APM contains an unspecified vulnerability that could allow a threat actor to achieve remote code execution. CVE-2025-53521 Exploit Probability: 2.2%	March 27, 2026
F5 BIG-IP Configuration Utility SQL Injection Vulnerability	F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747. CVE-2023-46748 Exploit Probability: 4.5%	October 31, 2023
F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability	F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748. CVE-2023-46747 Exploit Probability: 96.5%	October 31, 2023
F5 BIG-IP Missing Authentication Vulnerability	F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. CVE-2022-1388 Exploit Probability: 100.0%	May 10, 2022
F5 BIG-IP Traffic Management Microkernel Buffer Overflow	The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls. CVE-2021-22991 Exploit Probability: 61.1%	January 18, 2022
F5 BIG-IP Traffic Management User Interface Remote Code Execution Vulnerability	In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. CVE-2020-5902 Exploit Probability: 100.0%	November 3, 2021
F5 iControl REST unauthenticated Remote Code Execution Vulnerability	The iControl REST interface has an unauthenticated remote command execution vulnerability. CVE-2021-22986 Exploit Probability: 99.9%	November 3, 2021

Of the known exploited vulnerabilities above, 5 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 153 vulnerabilities in F5 Networks with an average score of 7.0 out of ten. Last year, in 2025 F5 Networks had 369 security vulnerabilities published. Right now, F5 Networks is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.13.

Year	Vulnerabilities	Average Score
2026	153	7.00
2025	369	6.87
2024	346	6.46
2023	177	7.00
2022	406	7.04
2021	327	7.23
2020	263	6.62
2019	303	6.75
2018	218	7.01

It may take a day or so for new F5 Networks vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent F5 Networks Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-32682	Jun 17, 2026	Authenticated Remote Attacker Can Crash NGINX GW Fabric via GRPCRoute When NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-50107	Jun 17, 2026	NGINX Gateway Fabric Config Generator Injection in CRD Log Format When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-42055	Jun 17, 2026	NGINX Heap Buffer Overflow via Large HTTP/2 Headers in Proxy Modules NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Open Source Nginx Plus
CVE-2026-11311	Jun 17, 2026	NGINX Gateway Fabric Config Generator Injection via Unescaped CRD Fields When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-48142	Jun 17, 2026	NGINX ngx_http_charset_module Heap Buffer Over-Read (CVE-2026-48142) NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Open Source Nginx Plus
CVE-2026-42530	Jun 17, 2026	NGINX v3 Module UAF via HTTP/3 Session Reopen NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Open Source
CVE-2026-41732	Jun 09, 2026	Spring Pulsar JSON Header RCE: Trusted Package Prefix (2.0.5, 1.2.17, 1.1.17) JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.	Pulsar
CVE-2026-41847	Jun 09, 2026	Spring WebFlux Kotlin Router DSL Security Bypass (5.3.0-5.3.48) Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48.
CVE-2026-49975	Jun 08, 2026	Apache HTTP Server mod_http DoS via Excessive Memory Allocation (2.4.17-2.4.67) Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.	Http Server
CVE-2026-3238	Jun 08, 2026	Samba WINS NULL Deref via UDP (CVE-2026-3238) A flaw was found in Sambas WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.
CVE-2026-9256	May 22, 2026	Heap Overflow in ngx_http_rewrite_module (NGINX) via PCRE Capture Overlap NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Plus Nginx Open Source
CVE-2026-42960	May 20, 2026	Unbound<=1.25.0: DNS Cache Poison via Promiscuous Authority RRSets NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
CVE-2026-8711	May 19, 2026	NGINX JS js_fetch_proxy Heap Overflow & Code Exec via ClientControlled Vars NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_, $arg_, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-42926	May 13, 2026	NGINX HTTP/2 Proxy Body Injection Vulnerability When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Open Source
CVE-2026-42946	May 13, 2026	NGINX SCGI/UWSGI Modules Excessive Memory Allocation via MITM A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Plus Nginx Open Source
CVE-2026-40460	May 13, 2026	NGINX HTTP/3 QUIC IP Spoofing for Auth / Rate Limiting Bypass When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Plus Nginx Open Source
CVE-2026-42945	May 13, 2026	Heap Buffer Overflow in NGINX ngx_http_rewrite_module via PCRE Capture NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Plus Nginx Open Source
CVE-2026-42934	May 13, 2026	NGINX ngx_http_charset_module Heap Buffer Over-read in Worker Process NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Plus Nginx Open Source
CVE-2026-40701	May 13, 2026	NGINX Heap UAF via ssl_verify_client/ssl_ocsp in ngx_http_ssl_module NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Nginx Plus Nginx Open Source
CVE-2026-24464	May 13, 2026	Dir Traversal in F5 iControl REST Allows File Deletion When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an authenticated attacker with administrator role privileges to cross a security boundary and delete files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42930	May 13, 2026	CVE-2026-42930: BIG-IP Admin role bypasses Appliance Mode When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40423	May 13, 2026	F5 BIG-IP TMM Crash via Undisclosed SIP Traffic (CVE-2026-40423) When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41959	May 13, 2026	F5 BIG-IP BIG-IQ TMOS Shell Permissions Leak Network Status Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-39458	May 13, 2026	F5 BIGIP TMM Crash via DNS Cache on Virtual Server When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42058	May 13, 2026	Authenticated iControl REST Leak in F5 BIG-IP Local Users An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42406	May 13, 2026	F5 BIG-IP / BIG-IQ Authenticated Cmd Injection via Cert Mngr Role A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-32643	May 13, 2026	Auth Bypass in F5 BIGIP allows Config Mod for Arbitrary Code Exec A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42937	May 13, 2026	F5 BIG-IP tmsh arp/ndp PrivEsc Exposing Adjacent Net Info Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-39455	May 13, 2026	F5 BIG-IP LDAP Auth Causes httpd FD Exhaustion When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd process to exhaust the available file descriptors. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-34176	May 13, 2026	Authenticated Remote Cmd Injection in F5 iControl REST When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41217	May 13, 2026	BIG-IP TMOS TMSH Command RCE with Escalated Privileges A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-32673	May 13, 2026	BIG-IP Scripted Monitors Exec Arbitrary Cmd & Cross Security Boundary A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-39459	May 13, 2026	Arbitrary Cmd Exec via Privileged Role in F5 BIG-IP iControl REST/TMOS Shell A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41225	May 13, 2026	Arbitrary Cmd Exec in F5 BIG-IP iControl REST A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42063	May 13, 2026	Auth Res Admin Can Download Sensitive Files via iControl SOAP A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40631	May 13, 2026	Privilege Escalation via iControl SOAP in F5 BIG-IP An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40698	May 13, 2026	PrivEsc via SNMP Config Creation on F5 BIG-IP/BIG-IQ A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iControl REST or the TMOS shell (tmsh) resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41953	May 13, 2026	Big-IP Resource Admin Privilege Escalation via Config Mod A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42924	May 13, 2026	Priv Escalation via iControl SOAP SNMP Config Create in F5 BIG-IP An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40060	May 13, 2026	F5 BIGIP WAF Crash: bd Process Terminates via Undisclosed Requests When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42409	May 13, 2026	DoS via HTTP::redirect/HTTP::respond iRule on F5 BIG-IP TMM When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40061	May 13, 2026	Auth PLE in F5 BIG-IP DNS via iControl REST/TM Shell When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41227	May 13, 2026	F5 BIG-IP HTTP/2 L7 DoS Protection causes TMM memory exhaustion On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption causing the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40618	May 13, 2026	SSL Profile Misconfig Causes TMM Crash on F5 BIG-IP VE/hardware When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration set to disabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-41956	May 13, 2026	TMM Crash on F5 BIG-IP UDP Virtual Server via Undisclosed Requests When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-35062	May 13, 2026	BIG-IP iControl SOAP Auth User Can Get Other Accounts (CVE-2026-35062) An authenticated iControl SOAP user may be able to obtain information of other accounts. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42920	May 13, 2026	F5 BIG-IP TMM Crash via Dynamic RecFmt on UDP SSL When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-40629	May 13, 2026	F5 BIGIP SSL Profile Bug Undisclosed Traffic Blocks New Connections When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42781	May 13, 2026	ePVA Resource Exhaustion via Local Ethernet Traffic (F5 BIG-IP) When embedded Packet Velocity Acceleration (ePVA) acceleration is configured, undisclosed local ethernet traffic can cause an increase in ePVA and Traffic Management Microkernel (TMM) resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip
CVE-2026-42919	May 13, 2026	BIG-IP Priv Escalation via Authenticated Admin (CVE-2026-42919) A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges. A successful exploit may allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	Big Ip