Description
Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems.

 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from improper permission assignments in F5 BIG‑IP and BIG‑IQ TMOS Shell (tmsh) network diagnostics commands and BIG‑IP iControl REST. An authenticated attacker who can log into the device can exploit these flaws to view the network status of destination systems, thereby accessing sensitive operational data. The weakness is captured by CWE‑732, which denotes incorrect permissions or access control.

Affected Systems

The affected products are F5 BIG‑IP and F5 BIG‑IQ. No specific version information is provided in the advisory; therefore, any instance that includes the vulnerable tmsh network diagnostics or iControl REST functionality should be considered at risk, especially those still receiving support.

Risk and Exploitability

With a CVSS score of 6.8, the vulnerability is of medium severity. While no EPSS score is available, the lack of a KEV designation suggests there has been no confirmed exploitation detected to date. However, an attacker must be authenticated to exploit the flaw, implying that compromised accounts or privileged users could be leveraged to gain the disclosed information. The attack vector is likely an authenticated session that accesses the diagnostic commands or REST endpoints, and success depends on the incorrect permission assignments present in the affected configurations.

Generated by OpenCVE AI on May 13, 2026 at 17:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest F5 patch or update to a newer release that addresses the permission assignment issue.
  • Restrict access to tmsh network diagnostics commands and iControl REST endpoints so that only users who require them for legitimate operational tasks have permission.
  • Implement a principle‑of‑least‑privilege policy for all BIG‑IP and BIG‑IQ users, regularly reviewing role assignments to prevent over‑granting of rights.

Generated by OpenCVE AI on May 13, 2026 at 17:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
F5 big-iq
Vendors & Products F5
F5 big-ip
F5 big-iq

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title iControl and tmsh REST vulnerability
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip Big-iq
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:08:46.551Z

Reserved: 2026-04-30T23:04:20.043Z

Link: CVE-2026-41959

cve-icon Vulnrichment

Updated: 2026-05-13T16:08:39.485Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:46.000

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-41959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses