Description
Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the iControl REST endpoint and the TMOS Shell (tmsh) command. An attacker who is authenticated and holds a resource administrator role can view sensitive data that should be restricted. The flaw is a classic information disclosure weakness classified as CWE-200, exposing confidential configuration or operational data but not providing direct code execution capabilities.

Affected Systems

The affected products are F5 BIG‑IP and F5 BIG‑IQ. No specific product versions are listed in the advisory or CNA data, so all deployed instances that include the iControl REST service and tmsh command should be considered at risk until the vendor issues a fix.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium impact. EPSS is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Because the attack requires an authenticated resource administrator account, the primary attack vector is internal or opportunistic exploitation of compromised credentials. The likelihood of exploitation depends on the security posture of the environment—detailed attack capabilities are not documented in the CVE description.

Generated by OpenCVE AI on May 13, 2026 at 17:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest F5 BIG‑IP and BIG‑IQ security patch that addresses the iControl REST and tmsh information disclosure.
  • Reduce the number of accounts that have resource administrator privileges and enforce the principle of least privilege.
  • If the affected iControl REST endpoint or tmsh command is not needed, disable or restrict access to the service via configuration or firewall rules.
  • Continuously monitor logs for unauthorized access attempts to TMOS Shell and iControl REST endpoints and investigate anomalies promptly.

Generated by OpenCVE AI on May 13, 2026 at 17:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
F5 big-iq
Vendors & Products F5
F5 big-ip
F5 big-iq
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title iControl REST and tmsh vulnerability
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip Big-iq
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:17:41.943Z

Reserved: 2026-04-30T23:02:33.898Z

Link: CVE-2026-41954

cve-icon Vulnrichment

Updated: 2026-05-13T16:17:37.482Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:45.600

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-41954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:30:06Z

Weaknesses