F5 Big-ip
256 CVEs affecting F5 Big-ip. Latest disclosed: 2026-05-13. Critical: 4, High: 141.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-53521 | Critical | 9.8 | 2025-10-15 | When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versio… |
CVE-2023-46747 | Critical | 9.8 | 2023-10-26 | Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port… |
CVE-2022-1388 | Critical | 9.8 | 2022-05-05 | On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all… |
CVE-2026-41225 | Critical | 9.1 | 2026-05-13 | A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that… |
CVE-2026-41957 | High | 8.8 | 2026-05-13 | An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility. Note: Software versio… |
CVE-2025-20029 | High | 8.8 | 2025-02-05 | Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated attacker to execute arbitra… |
CVE-2023-46748 | High | 8.8 | 2023-10-26 | An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the… |
CVE-2023-41373 | High | 8.8 | 2023-10-10 | A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP syst… |
CVE-2022-41622 | High | 8.8 | 2022-12-07 | In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have r… |
CVE-2026-42930 | High | 8.7 | 2026-05-13 | When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP syste… |
CVE-2026-42924 | High | 8.7 | 2026-05-13 | An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privil… |
CVE-2026-42406 | High | 8.7 | 2026-05-13 | A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify con… |
CVE-2026-41953 | High | 8.7 | 2026-05-13 | A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configurati… |
CVE-2026-40698 | High | 8.7 | 2026-05-13 | A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create… |
CVE-2026-40631 | High | 8.7 | 2026-05-13 | An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege e… |
CVE-2026-40061 | High | 8.7 | 2026-05-13 | When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated att… |
CVE-2026-34176 | High | 8.7 | 2026-05-13 | When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit c… |
CVE-2026-32673 | High | 8.7 | 2026-05-13 | A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute ar… |
CVE-2026-32643 | High | 8.7 | 2026-05-13 | A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify con… |
CVE-2025-59481 | High | 8.7 | 2025-10-15 | A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with at least resource adm… |