Description
A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exists in F5 BIG‑IP’s Configuration utility and permits a low‑privileged authenticated user to view sensitive data on pages that are not intended for public disclosure. The vulnerability stems from inadequate validation of page requests, leading to unintended exposure of confidential configuration information. The result is a confidentiality breach, potentially revealing sensitive system details to an attacker with non‑admin credentials.

Affected Systems

The affected product is F5 BIG‑IP. No specific version range is supplied in the advisory, and End of Technical Support releases have not been evaluated. Administrators should verify that their installed BIG‑IP instances are on supported releases and consult the F5 advisory at my.f5.com for detailed guidance.

Risk and Exploitability

Based on the description, it is inferred that the attacker must first obtain a legitimate user account and then navigate the Configuration utility. The CVSS score of 7.1 indicates a high potential for significant impact if exploited. The EPSS score is not available, so the likelihood of real‑world exploitation cannot be quantified, yet the presence of the issue in a widely deployed service and the moderate score warrant serious attention. The vulnerability is not listed in the CISA KEV catalog. The combination of a medium‑to‑high severity rating and the absence of mitigation evidence suggests that organizations should treat this as a critical concern and prioritize remediation.

Generated by OpenCVE AI on May 13, 2026 at 16:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest F5 BIG‑IP patch or firmware that addresses the vulnerability as detailed in the F5 advisory K000150515.
  • Restrict access to the Configuration utility through role‑based access control, ensuring that only users with administrative privileges can view sensitive content.
  • Conduct an internal audit of the Configuration utility pages to verify that no unintended sensitive data is exposed and review system logs for anomalous access attempts.

Generated by OpenCVE AI on May 13, 2026 at 16:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP Configuration utility vulnerability
Weaknesses CWE-643
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:41:41.603Z

Reserved: 2026-04-30T23:02:33.941Z

Link: CVE-2026-40699

cve-icon Vulnrichment

Updated: 2026-05-13T16:16:16.103Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:43.730

Modified: 2026-05-13T17:16:20.730

Link: CVE-2026-40699

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:30:06Z

Weaknesses