F5 Networks Big Ip
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in F5 Networks Big Ip.
Known Exploited F5 Networks Big Ip Vulnerabilities
The following F5 Networks Big Ip vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| F5 BIG-IP Unspecified Vulnerability |
F5 BIG-IP APM contains an unspecified vulnerability that could allow a threat actor to achieve remote code execution. CVE-2025-53521 Exploit Probability: 7.5% |
March 27, 2026 |
| F5 BIG-IP Missing Authentication Vulnerability |
F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. CVE-2022-1388 Exploit Probability: 94.5% |
May 10, 2022 |
| F5 BIG-IP Traffic Management User Interface Remote Code Execution Vulnerability |
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. CVE-2020-5902 Exploit Probability: 94.4% |
November 3, 2021 |
| F5 iControl REST unauthenticated Remote Code Execution Vulnerability |
The iControl REST interface has an unauthenticated remote command execution vulnerability. CVE-2021-22986 Exploit Probability: 94.5% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 48 vulnerabilities in F5 Networks Big Ip with an average score of 6.8 out of ten. Last year, in 2025 Big Ip had 42 security vulnerabilities published. That is, 6 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.45
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 48 | 6.76 |
| 2025 | 42 | 7.21 |
| 2024 | 10 | 7.32 |
| 2023 | 20 | 7.25 |
| 2022 | 17 | 7.71 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 0.00 |
It may take a day or so for new Big Ip vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent F5 Networks Big Ip Security Vulnerabilities
CVE-2026-42930: BIG-IP Admin role bypasses Appliance Mode
CVE-2026-42930
8.7 - High
- May 13, 2026
When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Path Traversal: '.../...//'
F5 BIG-IP TMM Crash via Undisclosed SIP Traffic (CVE-2026-40423)
CVE-2026-40423
7.5 - High
- May 13, 2026
When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Allocation of Resources Without Limits or Throttling
Dir Traversal in F5 iControl REST Allows File Deletion
CVE-2026-24464
6.8 - Medium
- May 13, 2026
When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an authenticated attacker with administrator role privileges to cross a security boundary and delete files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Path Traversal: '.../...//'
F5 BIGIP TMM Crash via DNS Cache on Virtual Server
CVE-2026-39458
7.5 - High
- May 13, 2026
When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Access of Uninitialized Pointer
F5 BIG-IP BIG-IQ TMOS Shell Permissions Leak Network Status
CVE-2026-41959
6.5 - Medium
- May 13, 2026
Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Incorrect Permission Assignment for Critical Resource
Auth Bypass in F5 BIGIP allows Config Mod for Arbitrary Code Exec
CVE-2026-32643
8.7 - High
- May 13, 2026
A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Execution with Unnecessary Privileges
Authenticated iControl REST Leak in F5 BIG-IP Local Users
CVE-2026-42058
4.3 - Medium
- May 13, 2026
An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Incorrect Permission Assignment for Critical Resource
F5 BIG-IP / BIG-IQ Authenticated Cmd Injection via Cert Mngr Role
CVE-2026-42406
8.7 - High
- May 13, 2026
A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Privilege Defined With Unsafe Actions
F5 BIG-IP tmsh arp/ndp PrivEsc Exposing Adjacent Net Info
CVE-2026-42937
6.5 - Medium
- May 13, 2026
Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Incorrect Permission Assignment for Critical Resource
F5 BIG-IP LDAP Auth Causes httpd FD Exhaustion
CVE-2026-39455
7.5 - High
- May 13, 2026
When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd process to exhaust the available file descriptors. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Missing Release of Resource after Effective Lifetime
Authenticated Remote Cmd Injection in F5 iControl REST
CVE-2026-34176
8.7 - High
- May 13, 2026
When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Shell injection
BIG-IP Scripted Monitors Exec Arbitrary Cmd & Cross Security Boundary
CVE-2026-32673
6.5 - Medium
- May 13, 2026
A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Execution with Unnecessary Privileges
BIG-IP TMOS TMSH Command RCE with Escalated Privileges
CVE-2026-41217
6 - Medium
- May 13, 2026
A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Incorrect Permission Assignment for Critical Resource
Arbitrary Cmd Exec via Privileged Role in F5 BIG-IP iControl REST/TMOS Shell
CVE-2026-39459
7.2 - High
- May 13, 2026
A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Least Privilege Violation
Arbitrary Cmd Exec in F5 BIG-IP iControl REST
CVE-2026-41225
7.2 - High
- May 13, 2026
A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Incorrect Use of Privileged APIs
Auth Res Admin Can Download Sensitive Files via iControl SOAP
CVE-2026-42063
4.9 - Medium
- May 13, 2026
A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Files or Directories Accessible to External Parties
Privilege Escalation via iControl SOAP in F5 BIG-IP
CVE-2026-40631
8.7 - High
- May 13, 2026
An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Files or Directories Accessible to External Parties
PrivEsc via SNMP Config Creation on F5 BIG-IP/BIG-IQ
CVE-2026-40698
8.7 - High
- May 13, 2026
A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iControl REST or the TMOS shell (tmsh) resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Command Injection
Big-IP Resource Admin Privilege Escalation via Config Mod
CVE-2026-41953
8.7 - High
- May 13, 2026
A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Command Injection
F5 BIGIP WAF Crash: bd Process Terminates via Undisclosed Requests
CVE-2026-40060
7.5 - High
- May 13, 2026
When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Unchecked Return Value
Priv Escalation via iControl SOAP SNMP Config Create in F5 BIG-IP
CVE-2026-42924
8.7 - High
- May 13, 2026
An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Shell injection
Auth PLE in F5 BIG-IP DNS via iControl REST/TM Shell
CVE-2026-40061
6.5 - Medium
- May 13, 2026
When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Command Injection
F5 BIG-IP HTTP/2 L7 DoS Protection causes TMM memory exhaustion
CVE-2026-41227
7.5 - High
- May 13, 2026
On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption causing the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Allocation of Resources Without Limits or Throttling
DoS via HTTP::redirect/HTTP::respond iRule on F5 BIG-IP TMM
CVE-2026-42409
7.5 - High
- May 13, 2026
When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
NULL Pointer Dereference
SSL Profile Misconfig Causes TMM Crash on F5 BIG-IP VE/hardware
CVE-2026-40618
7.5 - High
- May 13, 2026
When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration set to disabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Incorrect Calculation of Buffer Size
BIG-IP iControl SOAP Auth User Can Get Other Accounts (CVE-2026-35062)
CVE-2026-35062
6.5 - Medium
- May 13, 2026
An authenticated iControl SOAP user may be able to obtain information of other accounts. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Incorrect Privilege Assignment
TMM Crash on F5 BIG-IP UDP Virtual Server via Undisclosed Requests
CVE-2026-41956
7.5 - High
- May 13, 2026
When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Stack Overflow
F5 BIGIP SSL Profile Bug Undisclosed Traffic Blocks New Connections
CVE-2026-40629
7.5 - High
- May 13, 2026
When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Allocation of Resources Without Limits or Throttling
F5 BIG-IP TMM Crash via Dynamic RecFmt on UDP SSL
CVE-2026-42920
7.5 - High
- May 13, 2026
When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Infinite Loop
BIG-IP Priv Escalation via Authenticated Admin (CVE-2026-42919)
CVE-2026-42919
6.7 - Medium
- May 13, 2026
A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges. A successful exploit may allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Stack Overflow
ePVA Resource Exhaustion via Local Ethernet Traffic (F5 BIG-IP)
CVE-2026-42781
6.5 - Medium
- May 13, 2026
When embedded Packet Velocity Acceleration (ePVA) acceleration is configured, undisclosed local ethernet traffic can cause an increase in ePVA and Traffic Management Microkernel (TMM) resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Infinite Loop
F5 BIG-IP TMM Crash via PEM iRules exploitation
CVE-2026-41218
7.5 - High
- May 13, 2026
When BIG-IP PEM iRules are configured on a virtual server (iRules using commands starting with CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and the urlcatquery command), undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Dangling pointer
Privileged Auth Info Disclosure via Hidden TMOS Shell Cmd in BIGIP DNS
CVE-2026-42408
4.4 - Medium
- May 13, 2026
When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell (tmsh) command that may allow a highly privileged authenticated attacker to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Cleartext Storage of Sensitive Information
Auth RCE in F5 BIG-IP/BIG-IQ Configuration Utility
CVE-2026-41957
8.8 - High
- May 13, 2026
An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Marshaling, Unmarshaling
apmd Crash via Undisclosed Traffic in BIG-IP APM Access Policy
CVE-2026-40067
7.5 - High
- May 13, 2026
When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the apmd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Classic Buffer Overflow
BFD Vulnerability in F5 BIG-IP TMM Leads to Routing Failover
CVE-2026-34019
5.3 - Medium
- May 13, 2026
When Bidirectional Forwarding Detection (BFD) is configured in Static and Dynamic routing protocols, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to stop processing BFD packets and cause the configured routing protocol to fail over. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Insufficient Resource Pool
Auth Bypass in F5 BIG-IP Config UI
CVE-2026-40699
6.5 - Medium
- May 13, 2026
A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
XPath Injection
F5 BIG-IP SSL Orchestrator Directory Traversal CVE-2026-42780
CVE-2026-42780
4.9 - Medium
- May 13, 2026
A directory traversal vulnerability exists in BIG-IP SSL Orchestrator that allows an authenticated attacker with high privilege to overwrite, delete or corrupt arbitrary local files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Directory traversal
F5 BIG-IP QKView Improper Sanitization Leak
CVE-2026-41219
6.5 - Medium
- May 13, 2026
An improper sanitization vulnerability exists in the BIG-IP QKView utility that allows a low-privileged attacker to read sensitive information from a QKView file. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Insertion of Sensitive Information into Log File
F5 BIG-IP iControl REST Shell Permission Bypass (CVE202640462)
CVE-2026-40462
6.5 - Medium
- May 13, 2026
Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Incorrect Permission Assignment for Critical Resource
F5 BIG-IP iControl REST/TMSH Authenticated Info Disclosure
CVE-2026-41954
4.9 - Medium
- May 13, 2026
Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Information Disclosure
F5 BIG-IP DNS gtm_add Returns SSH-Password in Cleartext via iControl REST
CVE-2026-28758
4.4 - Medium
- May 13, 2026
When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add and bigip_add iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to the audit log to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Cleartext Storage of Sensitive Information
BIG-IP Config UI CSRF in Dashboard
CVE-2026-40703
5.4 - Medium
- May 13, 2026
A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Session Riding
F5 BIG-IP httpd IP-Block Bypass Opens Unrestricted Endpoints
CVE-2026-40435
5.3 - Medium
- May 13, 2026
When configured, IP-based access restrictions for httpd do not cover all endpoints, which may allow connections from blocked addresses. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Unprotected Alternate Channel
BIG-IP AFM/DDoS Undisclosed Traffic Causing TMM Crash
CVE-2026-2507
7.5 - High
- February 18, 2026
When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
NULL Pointer Dereference
BIG-IP Advanced WAF/ASM Crash via Undisclosed Requests (CVE-2026-22548)
CVE-2026-22548
5.9 - Medium
- February 04, 2026
When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker's control can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Race Condition
F5 BIG-IP Config Page Spoof Error Vulnerability
CVE-2026-20732
3.1 - Low
- February 04, 2026
A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
User Interface (UI) Misrepresentation of Critical Information
BIG-IP Edge Client Info Disclosure via Windows VPN Client
CVE-2026-20730
3.3 - Low
- February 04, 2026
A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access to sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Information Disclosure
Vulnerability: TMM Crash on Multi-Bladed Platform CVE202561990
CVE-2025-61990
7.5 - High
- October 15, 2025
When using a multi-bladed platform with more than one blade, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Double-free
XSS in BIGIP APM permits execution of JS on loggedout user
CVE-2025-61933
6.1 - Medium
- October 15, 2025
A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of BIG-IP APM that allows an attacker to run JavaScript in the context of the targeted logged-out user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for F5 Networks Big Ip or by F5 Networks? Click the Watch button to subscribe.
