Description
Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information. 



Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from incorrect permission assignments applied to the TMOS Shell arp and ndp commands and the iControl REST interface on F5 BIG‑IP and BIG‑IQ devices. An attacker who can authenticate to the device can read adjacent network information such as MAC addresses and neighbor table entries. This flaw is a classic improper restriction of operations weakness (CWE‑732) that does not provide direct code execution or denial of service but exposes sensitive network state.

Affected Systems

F5 Network’s BIG‑IP appliance and BIG‑IQ management platform are affected, including their TMOS Shell (tmsh) commands and iControl REST API. No specific product versions are listed in the advisory, so any current model that has not reached End of Technical Support is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate‑severity risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not actively exploited at a large scale. Exploitation requires an attacker to be authenticated to the target system, either through the device’s local interface or via the iControl REST API. Once authenticated, the attacker can issue the privileged commands to exfiltrate network topology information.

Generated by OpenCVE AI on May 13, 2026 at 17:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent F5 security patch for BIG‑IP and BIG‑IQ that addresses the permission issue in tmsh and iControl REST.
  • Restrict incoming connections to the iControl REST API and the TMOS Shell to trusted IP addresses or VPN endpoints.
  • Limit user permissions so that only required roles can execute arp and ndp commands in tmsh, and disable those commands for roles that do not need them.

Generated by OpenCVE AI on May 13, 2026 at 17:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
F5 big-iq
Vendors & Products F5
F5 big-ip
F5 big-iq

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title iControl REST and tmsh vulnerability
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip Big-iq
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:09:45.227Z

Reserved: 2026-04-30T23:04:20.019Z

Link: CVE-2026-42937

cve-icon Vulnrichment

Updated: 2026-05-13T16:09:39.654Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:50.050

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-42937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses