F5

Multiple vulnerabilities in F5 BIG-IP products could allow an attacker to execute arbitrary code, gain elevated privileges, bypass security measures, manipulate or disclose data, or cause a denial-of-service condition.

CVE-2026-42409 describes a vulnerability in F5 BIG-IP where undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate when an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, potentially leading to denial of service.

CVE-2026-41956 describes a vulnerability in F5 Networks' Traffic Management Microkernel (TMM) where undisclosed requests can cause TMM termination when a classification profile is configured on a UDP virtual server, leading to a denial-of-service condition.

CVE-2026-42930 allows an authenticated attacker with 'Administrator' privileges to bypass Appliance mode restrictions on F5 BIG-IP systems.

CVE-2026-42924 allows an authenticated attacker with Resource Administrator or Administrator privileges to escalate privileges by creating malicious SNMP configuration objects through iControl SOAP.

CVE-2026-42920 describes a vulnerability where undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate when a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server.

CVE-2026-42406 allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects in F5 BIG-IP and BIG-IQ systems, leading to arbitrary command execution.

An authenticated remote code execution vulnerability (CVE-2026-41957) exists in the F5 BIG-IP and BIG-IQ Configuration utility, potentially leading to arbitrary code execution on affected systems.

CVE-2026-41953 describes a privilege escalation vulnerability in F5 BIG-IP systems where a highly privileged, authenticated attacker with the Resource Administrator role can modify configuration objects, leading to elevated privileges within the system.

CVE-2026-41218 describes a vulnerability in F5 BIG-IP PEM iRules where undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate, leading to a denial-of-service condition.

CVE-2026-41217 is a vulnerability in an undisclosed F5 BIG-IP TMOS Shell (tmsh) command that allows an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges, potentially crossing a security boundary in Appliance mode deployments.

An authenticated attacker with Resource Administrator or Administrator roles can modify configuration objects through iControl SOAP in F5 products, leading to privilege escalation via CVE-2026-40631.

CVE-2026-40629 describes a vulnerability in F5 Networks products where, when SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections, leading to a denial of service.

CVE-2026-40423 describes a vulnerability in F5 Networks products where undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate when a SIP profile is configured on a virtual server, leading to a denial-of-service condition.

A vulnerability exists in F5 BIG-IP APM where, when an APM access policy is configured on a virtual server, undisclosed network traffic can cause the apmd process to terminate, resulting in a denial of service (CVE-2026-40067).

CVE-2026-40060 describes a vulnerability in F5 BIG-IP Advanced WAF and ASM security policies where undisclosed requests can cause the `bd` process to terminate, leading to a denial-of-service condition.

CVE-2026-39459 describes a vulnerability in F5's iControl REST and TMOS Shell (tmsh) where a privileged, authenticated attacker with at least the Manager role can execute arbitrary commands by creating malicious configuration objects.

CVE-2026-34176 is an authenticated remote command injection vulnerability in an undisclosed iControl REST endpoint when running in Appliance mode, allowing an attacker to cross a security boundary.

CVE-2026-32643 describes a vulnerability in F5 BIG-IP and BIG-IQ systems that allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects, leading to arbitrary command execution.

CVE-2026-41225 allows a highly privileged, authenticated attacker with at least the Manager role to create configuration objects in F5 iControl REST, leading to arbitrary command execution.

F5 has reclassified CVE-2025-53521, a vulnerability in BIG-IP APM, as a critical unauthenticated remote code execution vulnerability and reports it is being actively exploited in the wild.

Multiple vulnerabilities in F5 BIG-IP and F5OS allow an attacker to bypass security mechanisms, escalate privileges, cause a denial-of-service condition, perform a cross-site scripting attack, and disclose or manipulate information.