CVE-2026-41954
Analyzed
Analyzed - Analysis Complete
BaseFortify
Vulnerability report for CVE-2026-41954, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-13
Last updated on: 2026-06-24
Assigner: F5 Networks
Description
Description
Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information.Β Β Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| f5 | big-ip_access_policy_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_advanced_firewall_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_advanced_web_application_firewall | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_analytics | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_application_acceleration_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_application_security_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_application_visibility_and_reporting | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_automation_toolchain | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_carrier-grade_nat | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_container_ingress_services | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_ddos_hybrid_defender | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_domain_name_system | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_edge_gateway | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_fraud_protection_service | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_link_controller | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_local_traffic_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_policy_enforcement_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_ssl_orchestrator | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_webaccelerator | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_websafe | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_global_traffic_manager | From 17.5.0 (inc) to 17.5.1 (inc) |
| f5 | big-ip_access_policy_manager | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_advanced_firewall_manager | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_advanced_web_application_firewall | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_analytics | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_application_acceleration_manager | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_application_security_manager | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_application_visibility_and_reporting | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_automation_toolchain | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_carrier-grade_nat | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_container_ingress_services | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_ddos_hybrid_defender | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_webaccelerator | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_websafe | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_ssl_orchestrator | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_policy_enforcement_manager | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_local_traffic_manager | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_link_controller | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_global_traffic_manager | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_fraud_protection_service | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_edge_gateway | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_domain_name_system | From 17.1.0 (inc) to 17.1.3 (inc) |
| f5 | big-ip_access_policy_manager | 21.0.0 |
| f5 | big-ip_advanced_firewall_manager | 21.0.0 |
| f5 | big-ip_advanced_web_application_firewall | 21.0.0 |
| f5 | big-ip_analytics | 21.0.0 |
| f5 | big-ip_application_acceleration_manager | 21.0.0 |
| f5 | big-ip_application_security_manager | 21.0.0 |
| f5 | big-ip_application_visibility_and_reporting | 21.0.0 |
| f5 | big-ip_automation_toolchain | 21.0.0 |
| f5 | big-ip_carrier-grade_nat | 21.0.0 |
| f5 | big-ip_container_ingress_services | 21.0.0 |
| f5 | big-ip_ddos_hybrid_defender | 21.0.0 |
| f5 | big-ip_domain_name_system | 21.0.0 |
| f5 | big-ip_edge_gateway | 21.0.0 |
| f5 | big-ip_fraud_protection_service | 21.0.0 |
| f5 | big-ip_global_traffic_manager | 21.0.0 |
| f5 | big-ip_link_controller | 21.0.0 |
| f5 | big-ip_local_traffic_manager | 21.0.0 |
| f5 | big-ip_policy_enforcement_manager | 21.0.0 |
| f5 | big-ip_ssl_orchestrator | 21.0.0 |
| f5 | big-ip_webaccelerator | 21.0.0 |
| f5 | big-ip_websafe | 21.0.0 |
| f5 | big-iq_centralized_management | 8.4.0 |
| f5 | big-ip_access_policy_manager | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_advanced_firewall_manager | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_advanced_web_application_firewall | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_analytics | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_application_acceleration_manager | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_application_security_manager | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_application_visibility_and_reporting | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_automation_toolchain | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_carrier-grade_nat | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_container_ingress_services | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_ddos_hybrid_defender | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_domain_name_system | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_edge_gateway | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_fraud_protection_service | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_global_traffic_manager | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_link_controller | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_local_traffic_manager | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_policy_enforcement_manager | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_ssl_orchestrator | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_webaccelerator | From 16.1.0 (inc) to 16.1.6 (inc) |
| f5 | big-ip_websafe | From 16.1.0 (inc) to 16.1.6 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
