Description
Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Incorrect permission assignment in iControl REST and the tmsh shell allows an authenticated attacker to read sensitive configuration or operational data in F5 BIG‑IP systems. The weakness is catalogued as CWE-732. By bypassing intended access controls, an attacker can expose confidential information that should be restricted to privileged users, thereby compromising the confidentiality of network device settings and potentially enabling further lateral movement.

Affected Systems

The affected vendor is F5 Networks, specifically the BIG‑IP product family. No specific version numbers are listed in the advisory, and the note indicates that software that has reached End of Technical Support has not been evaluated. Administrators should review the linked advisory for the exact supported releases that contain the flaw.

Risk and Exploitability

The CVSS score of 7.1 classifies the vulnerability as high severity. EPSS data is not available, so the exact likelihood of exploitation is unknown, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers need a valid authenticated session, which limits exploitation to users with access to iControl REST or the tmsh shell, but once authenticated, the incorrect permission assignment permits retrieval of protected data.

Generated by OpenCVE AI on May 13, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest F5 BIG‑IP patch that resolves the incorrect permission assignment flaw.
  • Reconfigure role‑based access control to restrict iControl REST and tmsh privileges for authenticated users, ensuring the least‑privilege principle is enforced.
  • If a patch is not yet available, temporarily disable or restrict the exposed tmsh command so that only authorized administrative accounts can invoke it.

Generated by OpenCVE AI on May 13, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title iControl REST and tmsh vulnerability
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:36:38.963Z

Reserved: 2026-04-30T23:02:33.914Z

Link: CVE-2026-40462

cve-icon Vulnrichment

Updated: 2026-05-13T16:17:10.740Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:42.960

Modified: 2026-05-13T17:16:20.340

Link: CVE-2026-40462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:00:14Z

Weaknesses