F5 Big-ip Ddos Hybrid Defender — known CVE vulnerabilities
Every CVE whose affected-product data names F5 Big-ip Ddos Hybrid Defender, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (165)
CVE-2023-41373 — CVSS 9.9 (critical): A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands…
CVE-2021-22987 — CVSS 9.9 (critical): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2021-22992 — CVSS 9.8 (critical): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2026-41225 — CVSS 9.1 (critical): A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create…
CVE-2021-22989 — CVSS 9.1 (critical): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2025-20029 — CVSS 8.8 (high): Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated…
CVE-2021-23026 — CVSS 8.8 (high): BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and…
CVE-2021-23025 — CVSS 8.8 (high): On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated…
CVE-2021-22988 — CVSS 8.8 (high): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2020-5922 — CVSS 8.8 (high): In BIG-IP versions 15.0.0-15.1.0.4, 14.1.0-14.1.2.6, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2, iControl REST does not…
CVE-2026-41957 — CVSS 8.8 (high): An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility…
CVE-2026-40631 — CVSS 8.7 (high): An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP…
CVE-2026-32643 — CVSS 8.7 (high): A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager…
CVE-2025-61958 — CVSS 8.7 (high): A vulnerability exists in the iHealth command that may allow an authenticated attacker with at least a resource administrator role to…
CVE-2026-42406 — CVSS 8.7 (high): A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager…
CVE-2026-41953 — CVSS 8.7 (high): A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role…
CVE-2025-59481 — CVSS 8.7 (high): A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with…
CVE-2026-42930 — CVSS 8.7 (high): When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode…
CVE-2023-43746 — CVSS 8.7 (high): When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions…
CVE-2025-53868 — CVSS 8.7 (high): When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance mode…
CVE-2026-34176 — CVSS 8.7 (high): When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A…
CVE-2026-40698 — CVSS 8.7 (high): A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource…
CVE-2026-42924 — CVSS 8.7 (high): An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP…
CVE-2026-32673 — CVSS 8.7 (high): A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or…
CVE-2025-31644 — CVSS 8.7 (high): When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh)…
CVE-2023-22374 — CVSS 8.5 (high): A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or…
CVE-2021-22978 — CVSS 8.3 (high): On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x…
CVE-2021-23012 — CVSS 8.2 (high): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation…
CVE-2023-40537 — CVSS 8.1 (high): An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a…
CVE-2024-31156 — CVSS 8.0 (high): A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker…
CVE-2025-24320 — CVSS 8.0 (high): A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker…
CVE-2026-41217 — CVSS 7.9 (high): A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource…
CVE-2023-43611 — CVSS 7.8 (high): The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. This…
CVE-2025-61990 — CVSS 7.5 (high): When using a multi-bladed platform with more than one blade, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to…
CVE-2020-5939 — CVSS 7.5 (high): In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.3, 15.0.0-15.0.1.3, 14.1.0-14.1.2.6, and 13.1.0-13.1.3.4, BIG-IP Virtual Edition (VE) systems on…
CVE-2020-5949 — CVSS 7.5 (high): On BIG-IP versions 14.0.0-14.0.1 and 13.1.0-13.1.3.4, certain traffic pattern sent to a virtual server configured with an FTP profile can…
CVE-2021-22974 — CVSS 7.5 (high): On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of…
CVE-2021-22975 — CVSS 7.5 (high): On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, and 14.1.x before 14.1.3.1, under some circumstances, Traffic Management…
CVE-2021-22977 — CVSS 7.5 (high): On BIG-IP version 16.0.0-16.0.1 and 14.1.2.4-14.1.3, cooperation between malicious HTTP client code and a malicious server may cause TMM to…
CVE-2021-22999 — CVSS 7.5 (high): On versions 15.0.x before 15.1.0 and 14.1.x before 14.1.4, the BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x…
CVE-2021-23000 — CVSS 7.5 (high): On BIG-IP versions 13.1.3.4-13.1.3.6 and 12.1.5.2, if the tmm.http.rfc.enforcement BigDB key is enabled in a BIG-IP system, or the Bad host…
CVE-2021-23003 — CVSS 7.5 (high): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2021-23004 — CVSS 7.5 (high): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2021-23009 — CVSS 7.5 (high): On BIG-IP version 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a…
CVE-2021-23011 — CVSS 7.5 (high): On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x…
CVE-2021-23013 — CVSS 7.5 (high): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3…
CVE-2021-23042 — CVSS 7.5 (high): On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, and 12.1.x before 12.1.6, when…
CVE-2021-23045 — CVSS 7.5 (high): On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of…
CVE-2022-23025 — CVSS 7.5 (high): On BIG-IP version 16.1.x before 16.1.1, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, when a SIP ALG profile is…
CVE-2023-22323 — CVSS 7.5 (high): In BIP-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of…
CVE-2023-22340 — CVSS 7.5 (high): On BIG-IP versions 16.1.x before 16.1.3.3, 15.1.x before 15.1.8, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when a SIP profile is…
CVE-2023-22422 — CVSS 7.5 (high): On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, when a HTTP profile with the non-default Enforcement options of…
CVE-2023-22664 — CVSS 7.5 (high): On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2…
CVE-2023-22842 — CVSS 7.5 (high): On BIG-IP versions 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when a SIP profile…
CVE-2023-23555 — CVSS 7.5 (high): On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning in 14.1.5 to before 14.1.5.3, and BIG-IP…
CVE-2023-27378 — CVSS 7.5 (high): Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an…
CVE-2023-29163 — CVSS 7.5 (high): When UDP profile with idle timeout set to immediate or the value 0 is configured on a virtual server, undisclosed traffic can cause TMM to…
CVE-2023-38138 — CVSS 7.5 (high): A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an…
CVE-2023-40534 — CVSS 7.5 (high): When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST…
CVE-2023-40542 — CVSS 7.5 (high): When TCP Verified Accept is enabled on a TCP profile that is configured on a Virtual Server, undisclosed requests can cause an increase in…
CVE-2023-41085 — CVSS 7.5 (high): When IPSec is configured on a Virtual Server, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached…
CVE-2024-25560 — CVSS 7.5 (high): When BIG-IP AFM is licensed and provisioned, undisclosed DNS traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note…
CVE-2024-33608 — CVSS 7.5 (high): When IPsec is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note…
CVE-2024-39778 — CVSS 7.5 (high): When a stateless virtual server is configured on BIG-IP system with a High-Speed Bridge (HSB), undisclosed requests can cause TMM to…
CVE-2024-41727 — CVSS 7.5 (high): In BIG-IP tenants running on r2000 and r4000 series hardware, or BIG-IP Virtual Edition (VEs) using Intel E810 SR-IOV NIC, undisclosed…
CVE-2025-20045 — CVSS 7.5 (high): When SIP session Application Level Gateway mode (ALG) profile with Passthru Mode enabled and SIP router ALG profile are configured on a…
CVE-2025-20058 — CVSS 7.5 (high): When a BIG-IP message routing profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource…
CVE-2025-21087 — CVSS 7.5 (high): When Client or Server SSL profiles are configured on a Virtual Server, or DNSSEC signing operations are in use, undisclosed traffic can…
CVE-2025-21091 — CVSS 7.5 (high): When SNMP v1 or v2c are disabled on the BIG-IP, undisclosed requests can cause an increase in memory resource utilization. Note: Software…
CVE-2025-36504 — CVSS 7.5 (high): When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase in memory resource…
CVE-2025-41399 — CVSS 7.5 (high): When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can cause an increase in…
CVE-2025-41414 — CVSS 7.5 (high): When HTTP/2 client and server profile is configured on a virtual server, undisclosed requests can cause TMM to terminate. Note: Software…
CVE-2025-41433 — CVSS 7.5 (high): When a Session Initiation Protocol (SIP) message routing framework (MRF) application layer gateway (ALG) profile is configured on a Message…
CVE-2025-46706 — CVSS 7.5 (high): When an iRule containing the HTTP::respond command is configured on a virtual server, undisclosed requests can cause an increase in memory…
CVE-2025-48008 — CVSS 7.5 (high): When a TCP profile with Multipath TCP (MPTCP) enabled is configured on a virtual server, undisclosed traffic along with conditions beyond…
CVE-2025-52585 — CVSS 7.5 (high): When a BIG-IP LTM Client SSL profile is configured on a virtual server with SSL Forward Proxy enabled and Anonymous Diffie-Hellman (ADH)…
CVE-2025-53474 — CVSS 7.5 (high): When an iRule using an ILX::call command is configured on a virtual server, undisclosed traffic can cause the Traffic Management…
CVE-2025-53856 — CVSS 7.5 (high): When a virtual server, network address translation (NAT) object, or secure network address translation (SNAT) object uses the embedded…
CVE-2025-58071 — CVSS 7.5 (high): When IPsec is configured on the BIG-IP system, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note…
CVE-2025-58096 — CVSS 7.5 (high): When the database variable tm.tcpudptxchecksum is configured as non-default value Software-only on a BIG-IP system, undisclosed traffic can…
CVE-2025-59781 — CVSS 7.5 (high): When DNS cache is configured on a BIG-IP or BIG-IP Next CNF virtual server, undisclosed DNS queries can cause an increase in memory…
CVE-2025-61951 — CVSS 7.5 (high): Undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. This issue may occur when a Datagram Transport Layer…
CVE-2002-20001 — CVSS 7.5 (high): The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not…
CVE-2026-39455 — CVSS 7.5 (high): When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic…
CVE-2026-39458 — CVSS 7.5 (high): When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management…
CVE-2026-40423 — CVSS 7.5 (high): When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate…
CVE-2026-40618 — CVSS 7.5 (high): When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on…
CVE-2026-40629 — CVSS 7.5 (high): When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client…
CVE-2026-41218 — CVSS 7.5 (high): When BIG-IP PEM iRules are configured on a virtual server (iRules using commands starting with CLASSIFICATION::, CLASSIFY::, PEM::, PSC…
CVE-2026-41227 — CVSS 7.5 (high): On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption…
CVE-2026-41956 — CVSS 7.5 (high): When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel…
CVE-2026-42409 — CVSS 7.5 (high): When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed…
CVE-2026-42920 — CVSS 7.5 (high): When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic…
CVE-2020-5913 — CVSS 7.4 (high): In versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2, the BIG-IP Client or Server SSL…
CVE-2021-23015 — CVSS 7.2 (high): On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance…
CVE-2021-22990 — CVSS 7.2 (high): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2024-45844 — CVSS 7.2 (high): BIG-IP monitor functionality may allow an attacker to bypass access control restrictions, regardless of the port lockdown settings. Note…
CVE-2023-42768 — CVSS 7.2 (high): When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back…
CVE-2026-39459 — CVSS 7.2 (high): A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the…
CVE-2020-5912 — CVSS 7.1 (high): In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the restjavad…
CVE-2020-5916 — CVSS 6.8 (medium): In BIG-IP versions 15.1.0-15.1.0.4 and 15.0.0-15.0.1.3 the Certificate Administrator user role and higher privileged roles can perform…
CVE-2026-24464 — CVSS 6.8 (medium): When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an…
CVE-2026-42919 — CVSS 6.7 (medium): A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges…
CVE-2022-23023 — CVSS 6.5 (medium): On BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, and BIG-IQ…
CVE-2026-41219 — CVSS 6.5 (medium): An improper sanitization vulnerability exists in the BIG-IP QKView utility that allows a low-privileged attacker to read sensitive…
CVE-2024-32761 — CVSS 6.5 (medium): Under certain conditions, a data leak may occur in the Traffic Management Microkernels (TMMs) of BIG-IP tenants running on VELOS and…
CVE-2020-5943 — CVSS 6.5 (medium): In versions 14.1.0-14.1.0.1 and 14.1.2.5-14.1.2.7, when a BIG-IP object is created or listed through the REST interface, the protected…
CVE-2026-40462 — CVSS 6.5 (medium): Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an…
CVE-2026-40699 — CVSS 6.5 (medium): A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to…
CVE-2026-35062 — CVSS 6.5 (medium): An authenticated iControl SOAP user may be able to obtain information of other accounts. Note: Software versions which have reached End of…
CVE-2026-42781 — CVSS 6.5 (medium): When embedded Packet Velocity Acceleration (ePVA) acceleration is configured, undisclosed local ethernet traffic can cause an increase in…
CVE-2026-41959 — CVSS 6.5 (medium): Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP…
CVE-2025-59483 — CVSS 6.5 (medium): A validation vulnerability exists in an undisclosed URL in the Configuration utility. Note: Software versions which have reached End of…
CVE-2026-42937 — CVSS 6.5 (medium): Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl…
CVE-2020-5938 — CVSS 6.5 (medium): On BIG-IP 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, when negotiating IPSec tunnels with configured, authenticated peers, the…
CVE-2021-23027 — CVSS 6.1 (medium): On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability…
CVE-2025-59269 — CVSS 6.1 (medium): A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker…
CVE-2021-22994 — CVSS 6.1 (medium): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2023-22418 — CVSS 6.1 (medium): On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.7, 14.1.x before 14.1.5.3, and all versions of 13.1.x, an…
CVE-2024-33604 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability exist in undisclosed page of the BIG-IP Configuration utility that allows an attacker…
CVE-2020-27719 — CVSS 6.1 (medium): On BIG-IP 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.3, a cross-site scripting (XSS) vulnerability exists in an undisclosed page of…
CVE-2021-22979 — CVSS 6.1 (medium): On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a…
CVE-2023-3470 — CVSS 6.0 (medium): Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The…
CVE-2020-5929 — CVSS 5.9 (medium): In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a…
CVE-2024-41164 — CVSS 5.9 (medium): When TCP profile with Multipath TCP enabled (MPTCP) is configured on a Virtual Server, undisclosed traffic along with conditions beyond the…
CVE-2025-58153 — CVSS 5.9 (medium): Under undisclosed traffic conditions along with conditions beyond the attacker's control, hardware systems with a High-Speed Bridge (HSB)…
CVE-2023-22302 — CVSS 5.9 (medium): In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a…
CVE-2024-28889 — CVSS 5.9 (medium): When an SSL profile with alert timeout is configured with a non-default value on a virtual server, undisclosed traffic along with…
CVE-2023-43485 — CVSS 5.5 (medium): When TACACS+ audit forwarding is configured on BIG-IP or BIG-IQ system, sharedsecret is logged in plaintext in the audit log. Note…
CVE-2023-38423 — CVSS 5.4 (medium): A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run…
CVE-2026-40703 — CVSS 5.4 (medium): A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility. Note: Software versions…
CVE-2025-59268 — CVSS 5.3 (medium): On the BIG-IP system, undisclosed endpoints that contain static non-sensitive information are accessible to an unauthenticated remote…
CVE-2026-34019 — CVSS 5.3 (medium): When Bidirectional Forwarding Detection (BFD) is configured in Static and Dynamic routing protocols, undisclosed traffic can cause the…
CVE-2025-58424 — CVSS 5.3 (medium): On BIG-IP systems, undisclosed traffic can cause data corruption and unauthorized data modification in protocols which do not have message…
CVE-2026-40435 — CVSS 5.3 (medium): When configured, IP-based access restrictions for httpd do not cover all endpoints, which may allow connections from blocked addresses…
CVE-2025-54500 — CVSS 5.3 (medium): An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max…
CVE-2023-24594 — CVSS 5.3 (medium): When an SSL profile is configured on a Virtual Server, undisclosed traffic can cause an increase in CPU or SSL accelerator resource…
CVE-2022-23030 — CVSS 5.3 (medium): On version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when the BIG-IP Virtual…
CVE-2022-23029 — CVSS 5.3 (medium): On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when…
CVE-2022-23027 — CVSS 5.3 (medium): On BIG-IP versions 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, 13.1.x beginning in 13.1.3.6, 12.1.5.3-12.1.6, and 11.6.5.2, when a FastL4…
CVE-2021-23007 — CVSS 5.3 (medium): On BIG-IP versions 14.1.4 and 16.0.1.1, when the Traffic Management Microkernel (TMM) process handles certain undisclosed traffic, it may…
CVE-2021-22998 — CVSS 5.3 (medium): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2025-54755 — CVSS 4.9 (medium): A directory traversal vulnerability exists in TMUI that allows a highly privileged authenticated attacker to access files which are not…
CVE-2023-22326 — CVSS 4.9 (medium): In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of…
CVE-2026-42063 — CVSS 4.9 (medium): A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download…
CVE-2026-41954 — CVSS 4.9 (medium): Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may…
CVE-2021-22981 — CVSS 4.8 (medium): On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is…
CVE-2024-27202 — CVSS 4.7 (medium): A DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an…
CVE-2023-45219 — CVSS 4.4 (medium): Exposure of Sensitive Information vulnerability exist in an undisclosed BIG-IP TMOS shell (tmsh) command which may allow an authenticated…
CVE-2026-42408 — CVSS 4.4 (medium): When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell (tmsh) command that may allow a highly privileged…
CVE-2021-23001 — CVSS 4.3 (medium): On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and…
CVE-2023-38419 — CVSS 4.3 (medium): An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests…
CVE-2023-41964 — CVSS 4.3 (medium): The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables. Note: Software versions which…
CVE-2020-5947 — CVSS 4.3 (medium): In versions 16.0.0-16.0.0.1 and 15.1.0-15.1.1, on specific BIG-IP platforms, attackers may be able to obtain TCP sequence numbers from the…
CVE-2024-41723 — CVSS 4.3 (medium): Undisclosed requests to BIG-IP iControl REST can lead to information leak of user account names. Note: Software versions which have reached…
CVE-2026-42058 — CVSS 4.3 (medium): An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account…
CVE-2023-28406 — CVSS 4.3 (medium): A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which may allow an authenticated…
CVE-2022-41983 — CVSS 3.7 (low): On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions…
CVE-2026-20732 — CVSS 3.1 (low): A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages. Note…