Description
A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery (CSRF) vulnerability exists in the dashboard of the BIG‑IP Configuration utility. When an authenticated user visits a malicious site, the attacker can trick the browser into submitting unauthorized requests, potentially changing device settings or executing privileged operations without the user’s knowledge. This flaw undermines the integrity of the configuration and could enable further compromise if the attacker gains sufficient configuration privileges.

Affected Systems

The vulnerability affects F5 BIG‑IP systems. No specific product versions are listed, and software that has reached End of Technical Support is not evaluated.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score is unavailable and the issue is not listed in the CISA KEV catalog. CSRF attacks typically require the victim to be authenticated and to have an active browser session, so the exploitability depends on the attacker's ability to lure an authenticated user to a malicious site. The moderate score suggests that while exploitation is possible, it is not automatically critical.

Generated by OpenCVE AI on May 13, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the F5 security advisory portal for an available patch or update that addresses this CSRF issue.
  • Apply the vendor‑released security update to the BIG‑IP device as soon as it becomes available.
  • If a patch cannot be applied immediately, enforce strict same‑origin policies or CSRF token checks on the dashboard and restrict privileged access to trusted administrators.
  • Continuously review device audit logs for suspicious configuration changes that could indicate a CSRF exploitation attempt.

Generated by OpenCVE AI on May 13, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP Configuration utility CSRF vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:18:09.574Z

Reserved: 2026-04-30T23:02:33.880Z

Link: CVE-2026-40703

cve-icon Vulnrichment

Updated: 2026-05-13T16:18:04.905Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:44.020

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-40703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:15:16Z

Weaknesses