BaseFortify

Publication date: 2026-05-13

Last updated on: 2026-06-24

Assigner: F5 Networks

Description

A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-13

Last Modified

2026-06-24

Generated

2026-06-30

EPSS Evaluated

2026-06-28

NVD

CVE-2026-41217

Affected Vendors & Products

Vendor	Product	Version / Range
f5	big-ip_access_policy_manager	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_advanced_firewall_manager	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_advanced_web_application_firewall	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_analytics	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_application_acceleration_manager	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_application_security_manager	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_application_visibility_and_reporting	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_automation_toolchain	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_carrier-grade_nat	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_container_ingress_services	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_ddos_hybrid_defender	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_domain_name_system	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_edge_gateway	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_fraud_protection_service	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_link_controller	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_local_traffic_manager	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_policy_enforcement_manager	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_ssl_orchestrator	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_webaccelerator	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_websafe	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_global_traffic_manager	From 17.5.0 (inc) to 17.5.1 (inc)
f5	big-ip_access_policy_manager	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_advanced_firewall_manager	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_advanced_web_application_firewall	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_analytics	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_application_acceleration_manager	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_application_security_manager	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_application_visibility_and_reporting	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_automation_toolchain	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_carrier-grade_nat	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_container_ingress_services	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_ddos_hybrid_defender	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_webaccelerator	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_websafe	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_ssl_orchestrator	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_policy_enforcement_manager	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_local_traffic_manager	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_link_controller	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_global_traffic_manager	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_fraud_protection_service	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_edge_gateway	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_domain_name_system	From 17.1.0 (inc) to 17.1.3 (inc)
f5	big-ip_access_policy_manager	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_advanced_firewall_manager	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_advanced_web_application_firewall	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_analytics	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_application_acceleration_manager	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_application_security_manager	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_application_visibility_and_reporting	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_automation_toolchain	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_carrier-grade_nat	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_container_ingress_services	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_ddos_hybrid_defender	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_domain_name_system	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_edge_gateway	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_fraud_protection_service	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_global_traffic_manager	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_link_controller	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_local_traffic_manager	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_policy_enforcement_manager	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_ssl_orchestrator	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_webaccelerator	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_websafe	From 16.1.0 (inc) to 16.1.6 (inc)
f5	big-ip_access_policy_manager	21.0.0
f5	big-ip_advanced_firewall_manager	21.0.0
f5	big-ip_advanced_web_application_firewall	21.0.0
f5	big-ip_analytics	21.0.0
f5	big-ip_application_acceleration_manager	21.0.0
f5	big-ip_application_security_manager	21.0.0
f5	big-ip_application_visibility_and_reporting	21.0.0
f5	big-ip_automation_toolchain	21.0.0
f5	big-ip_carrier-grade_nat	21.0.0
f5	big-ip_container_ingress_services	21.0.0
f5	big-ip_ddos_hybrid_defender	21.0.0
f5	big-ip_domain_name_system	21.0.0
f5	big-ip_edge_gateway	21.0.0
f5	big-ip_fraud_protection_service	21.0.0
f5	big-ip_global_traffic_manager	21.0.0
f5	big-ip_link_controller	21.0.0
f5	big-ip_local_traffic_manager	21.0.0
f5	big-ip_policy_enforcement_manager	21.0.0
f5	big-ip_ssl_orchestrator	21.0.0
f5	big-ip_webaccelerator	21.0.0
f5	big-ip_websafe	21.0.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-732	The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Attack-Flow Graph

AI Quick Actions have not been generated yet.

Hi! I’m here to help you understand CVE-2026-41217. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70