CVE-2026-41954

MEDIUM

F5 - iControl REST and Tmsh Vulnerability

Title source: rule
STIX 2.1

Description

Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory patch
https://my.f5.com/manage/s/article/K32950402

Scores

CVSS v3 4.9
EPSS 0.0029
EPSS Percentile 21.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (49)
F5/BIG-IP 16.1.0
F5/BIG-IP 17.1.0 - 17.1.3.1
F5/BIG-IP 17.5.0 - 17.5.1.4
F5/BIG-IP 21.0.0 - 21.0.0.1
F5/BIG-IP 21.1.0
f5/big-ip_access_policy_manager 21.0.0
f5/big-ip_access_policy_manager 17.1.0 - 17.1.3
f5/big-ip_advanced_firewall_manager 21.0.0
f5/big-ip_advanced_firewall_manager 17.1.0 - 17.1.3
f5/big-ip_advanced_web_application_firewall 21.0.0
... and 39 more
Published May 13, 2026
Tracked Since May 13, 2026