Description
A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-02-04
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Spoofed error messages that could mislead administrators
Action: Patch
AI Analysis

Impact

The vulnerability resides in an undisclosed configuration utility page of F5 BIG‑IP, allowing an attacker to fabricate error messages. This flaw, classified as CWE‑451, could cause administrators to be misled or to trust incorrect system states, potentially leading to incorrect troubleshooting or authorization decisions. The official description does not indicate that confidentiality, integrity, or availability are directly compromised, so the impact is limited to deceptive authentication of error states.

Affected Systems

All F5 BIG‑IP products that incorporate the exposed configuration utility page, including Advanced Web Application Firewall, Application Acceleration Manager, Analytics, and other listed variants, are potentially affected. No specific version ranges are provided, so all current releases should be reviewed for the presence of the vulnerable page.

Risk and Exploitability

The CVSS score reflects a low‑severity weakness; the EPSS probability is below 1 % and the flaw is not listed in the CISA KEV catalog. The likely attack vector is remote, via the web‑based configuration interface, and the attacker would need administrative or privileged credentials to reach the vulnerable page. Because the flaw only allows message spoofing, the overall risk is low, but it introduces a subtle avenue for deception that can be exploited in targeted environments.

Generated by OpenCVE AI on April 17, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or update to a BIG‑IP version that eliminates the vulnerable configuration utility page.
  • If a patch is unavailable, restrict access to the configuration utility to trusted administrators only and enforce strict role‑based access controls.
  • Monitor configuration and error logs for unexpected or repeated error messages that could indicate spoofing attempts, and investigate anomalies promptly.

Generated by OpenCVE AI on April 17, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared F5 big-ip Access Policy Manager
F5 big-ip Advanced Firewall Manager
F5 big-ip Advanced Web Application Firewall
F5 big-ip Analytics
F5 big-ip Application Acceleration Manager
F5 big-ip Application Security Manager
F5 big-ip Application Visibility And Reporting
F5 big-ip Automation Toolchain
F5 big-ip Carrier-grade Nat
F5 big-ip Container Ingress Services
F5 big-ip Ddos Hybrid Defender
F5 big-ip Domain Name System
F5 big-ip Edge Gateway
F5 big-ip Fraud Protection Service
F5 big-ip Global Traffic Manager
F5 big-ip Link Controller
F5 big-ip Local Traffic Manager
F5 big-ip Policy Enforcement Manager
F5 big-ip Ssl Orchestrator
F5 big-ip Webaccelerator
F5 big-ip Websafe
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_automation_toolchain:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_container_ingress_services:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*
Vendors & Products F5 big-ip Access Policy Manager
F5 big-ip Advanced Firewall Manager
F5 big-ip Advanced Web Application Firewall
F5 big-ip Analytics
F5 big-ip Application Acceleration Manager
F5 big-ip Application Security Manager
F5 big-ip Application Visibility And Reporting
F5 big-ip Automation Toolchain
F5 big-ip Carrier-grade Nat
F5 big-ip Container Ingress Services
F5 big-ip Ddos Hybrid Defender
F5 big-ip Domain Name System
F5 big-ip Edge Gateway
F5 big-ip Fraud Protection Service
F5 big-ip Global Traffic Manager
F5 big-ip Link Controller
F5 big-ip Local Traffic Manager
F5 big-ip Policy Enforcement Manager
F5 big-ip Ssl Orchestrator
F5 big-ip Webaccelerator
F5 big-ip Websafe

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 04 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP Configuration utility vulnerability
Weaknesses CWE-451
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip Big-ip Access Policy Manager Big-ip Advanced Firewall Manager Big-ip Advanced Web Application Firewall Big-ip Analytics Big-ip Application Acceleration Manager Big-ip Application Security Manager Big-ip Application Visibility And Reporting Big-ip Automation Toolchain Big-ip Carrier-grade Nat Big-ip Container Ingress Services Big-ip Ddos Hybrid Defender Big-ip Domain Name System Big-ip Edge Gateway Big-ip Fraud Protection Service Big-ip Global Traffic Manager Big-ip Link Controller Big-ip Local Traffic Manager Big-ip Policy Enforcement Manager Big-ip Ssl Orchestrator Big-ip Webaccelerator Big-ip Websafe
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-02-04T16:08:05.470Z

Reserved: 2026-01-21T21:33:16.381Z

Link: CVE-2026-20732

cve-icon Vulnrichment

Updated: 2026-02-04T16:07:56.927Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T15:16:14.740

Modified: 2026-02-13T21:44:33.627

Link: CVE-2026-20732

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:00:09Z

Weaknesses