F5 Big-ip_advanced_web_application_firewall
155 CVEs affecting F5 Big-ip_advanced_web_application_firewall. Latest disclosed: 2026-05-13. Critical: 9, High: 98.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-41373 | Critical | 9.9 | 2023-10-10 | A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP syst… |
CVE-2021-23031 | Critical | 9.9 | 2021-09-14 | On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an aut… |
CVE-2021-22987 | Critical | 9.9 | 2021-03-31 | On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6… |
CVE-2023-46747 | Critical | 9.8 | 2023-10-26 | Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port… |
CVE-2021-22991 | Critical | 9.8 | 2021-03-31 | On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed reques… |
CVE-2021-22992 | Critical | 9.8 | 2021-03-31 | On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6… |
CVE-2021-22986 | Critical | 9.8 | 2021-03-31 | On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x… |
CVE-2020-5902 | Critical | 9.8 | 2020-07-01 | In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also… |
CVE-2021-22989 | Critical | 9.1 | 2021-03-31 | On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6… |
CVE-2025-20029 | High | 8.8 | 2025-02-05 | Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated attacker to execute arbitra… |
CVE-2023-46748 | High | 8.8 | 2023-10-26 | An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the… |
CVE-2021-23029 | High | 8.8 | 2021-09-14 | On version 16.0.x before 16.0.1.2, insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (S… |
CVE-2021-23026 | High | 8.8 | 2021-09-14 | BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all vers… |
CVE-2021-23025 | High | 8.8 | 2021-09-14 | On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated remote command execu… |
CVE-2021-23014 | High | 8.8 | 2021-05-10 | On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, and 14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing authorization checks for file uploa… |
CVE-2021-22993 | High | 8.8 | 2021-03-31 | On BIG-IP Advanced WAF and BIG-IP ASM versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and 12.1.x before… |
CVE-2021-22988 | High | 8.8 | 2021-03-31 | On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6… |
CVE-2020-5922 | High | 8.8 | 2020-08-26 | In BIG-IP versions 15.0.0-15.1.0.4, 14.1.0-14.1.2.6, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2, iControl REST does not implement Cross Site Request… |
CVE-2025-61958 | High | 8.7 | 2025-10-15 | A vulnerability exists in the iHealth command that may allow an authenticated attacker with at least a resource administrator role to bypass tmsh restrictions… |
CVE-2025-59481 | High | 8.7 | 2025-10-15 | A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with at least resource adm… |