Description
When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add and bigip_add iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to the audit log to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Published: 2026-05-13
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a highly privileged, authenticated attacker who can read audit logs to retrieve the ssh-password parameter in cleartext from the responses of the gtm_add and bigip_add iControl REST commands. This results in the disclosure of a sensitive credential, which could be used to gain further compromise of the managed device. The weakness is a cleartext storage of sensitive information (CWE‑312).

Affected Systems

Products affected are F5 BIG‑IP devices when the BIG‑IP DNS feature is provisioned. The advisory does not list specific version ranges, but all supported releases that have the gtm_add and bigip_add commands are implicated. Versions that have reached End of Technical Support are not evaluated in this advisory.

Risk and Exploitability

The CVSS score of 6.7 indicates a medium severity, while no EPSS score is available and the vulnerability is not listed in KEV. The risk is that only an attacker with high privileged credentials and audit log access can exploit it, so the likelihood depends on internal segregation of duties. If such access is misconfigured or compromised, the attacker could exfiltrate SSH passwords and use them for lateral movement or further credential theft. The attack vector is inferred to be local or remote where the attacker can authenticate to the iControl REST interface and read audit logs.

Generated by OpenCVE AI on May 13, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest F5 BIG‑IP patch or upgrade that addresses the gtm_add and bigip_add command responses to prevent the ssh-password from being returned or logged.
  • Restrict audit log visibility to only essential personnel and use role‑based access control to limit read permissions.
  • Monitor audit logs for anomalous use of gtm_add and bigip_add commands and alert on suspicious activity.

Generated by OpenCVE AI on May 13, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add and bigip_add iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to the audit log to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Title BIG-IP iControl REST vulnerability
Weaknesses CWE-312
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:17:28.635Z

Reserved: 2026-04-30T23:02:33.906Z

Link: CVE-2026-28758

cve-icon Vulnrichment

Updated: 2026-05-13T16:17:24.122Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:37.137

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-28758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:00:14Z

Weaknesses