F5 Big-ip Global Traffic Manager — known CVE vulnerabilities
Every CVE whose affected-product data names F5 Big-ip Global Traffic Manager, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (200)
CVE-2023-41373 — CVSS 9.9 (critical): A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands…
CVE-2021-22987 — CVSS 9.9 (critical): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2019-6609 — CVSS 9.8 (critical): Platform dependent weakness. This issue only impacts iSeries platforms. On these platforms, in BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM…
CVE-2019-6675 — CVSS 9.8 (critical): BIG-IP configurations using Active Directory, LDAP, or Client Certificate LDAP for management authentication with multiple servers are…
CVE-2017-6165 — CVSS 9.8 (critical): In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM, and WebSafe 11.5.1 HF6 through 11.5.4 HF4, 11.6.0 through…
CVE-2018-5506 — CVSS 9.8 (critical): In F5 BIG-IP 13.0.0, 12.1.0-12.1.2, 11.6.1, 11.5.1-11.5.5, or 11.2.1 the Apache modules apache_auth_token_mod and mod_auth_f5_auth_token.cpp…
CVE-2021-22992 — CVSS 9.8 (critical): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2020-5948 — CVSS 9.6 (critical): On BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, undisclosed…
CVE-2021-23037 — CVSS 9.6 (critical): On all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a reflected cross-site scripting (XSS) vulnerability exists…
CVE-2019-6644 — CVSS 9.4 (critical): Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP…
CVE-2014-2927 — CVSS 9.3 (critical): The rsync daemon in F5 BIG-IP 11.6 before 11.6.0, 11.5.1 before HF3, 11.5.0 before HF4, 11.4.1 before HF4, 11.4.0 before HF7, 11.3.0 before…
CVE-2013-0150 — CVSS 9.3 (critical): Directory traversal vulnerability in an unspecified signed Java applet in the client-side components in F5 BIG-IP APM 10.1.0 through 10.2.4…
CVE-2020-5886 — CVSS 9.1 (critical): On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1, BIG-IP systems setup for connection mirroring in a High…
CVE-2019-6592 — CVSS 9.1 (critical): On BIG-IP 14.1.0-14.1.0.1, TMM may restart and produce a core file when validating SSL certificates in client SSL or server SSL profiles.
CVE-2019-6649 — CVSS 9.1 (critical): F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise…
CVE-2020-5887 — CVSS 9.1 (critical): On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for remote attackers…
CVE-2019-10744 — CVSS 9.1 (critical): Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or…
CVE-2011-3188 — CVSS 9.1 (critical): The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate sequence numbers and…
CVE-2020-5884 — CVSS 9.1 (critical): On versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.4, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the default deployment mode for BIG-IP…
CVE-2026-41225 — CVSS 9.1 (critical): A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create…
CVE-2021-22989 — CVSS 9.1 (critical): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2020-5885 — CVSS 9.1 (critical): On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1, BIG-IP systems set up for connection mirroring in a…
CVE-2015-3628 — CVSS 9.0 (critical): The iControl API in F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.3.0 before 11.5.3 HF2 and 11.6.0 before 11.6.0…
CVE-2015-7394 — CVSS 9.0 (critical): The datastor kernel module in F5 BIG-IP Analytics, APM, ASM, Link Controller, and LTM 11.1.0 before 12.0.0, BIG-IP AAM 11.4.0 before…
CVE-2021-23038 — CVSS 9.0 (critical): On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a…
CVE-2012-3163 — CVSS 9.0 (critical): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote…
CVE-2020-5904 — CVSS 8.8 (high): In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a cross-site request forgery (CSRF) vulnerability in…
CVE-2016-5020 — CVSS 8.8 (high): F5 BIG-IP before 12.0.0 HF3 allows remote authenticated users to modify the account configuration of users with the Resource Administration…
CVE-2025-20029 — CVSS 8.8 (high): Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated…
CVE-2020-5922 — CVSS 8.8 (high): In BIG-IP versions 15.0.0-15.1.0.4, 14.1.0-14.1.2.6, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2, iControl REST does not…
CVE-2021-23025 — CVSS 8.8 (high): On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated…
CVE-2021-23026 — CVSS 8.8 (high): BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and…
CVE-2022-23013 — CVSS 8.8 (high): On BIG-IP DNS & GTM version 16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and…
CVE-2022-41622 — CVSS 8.8 (high): In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software…
CVE-2026-41957 — CVSS 8.8 (high): An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility…
CVE-2019-6646 — CVSS 8.8 (high): On BIG-IP 11.5.2-11.6.4 and Enterprise Manager 3.1.1, REST users with guest privileges may be able to escalate their privileges and run…
CVE-2019-6642 — CVSS 8.8 (high): In BIG-IP 15.0.0, 14.0.0-14.1.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.2, and 11.5.2-11.6.4, BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, iWorkflow…
CVE-2021-22988 — CVSS 8.8 (high): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2026-34176 — CVSS 8.7 (high): When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A…
CVE-2025-53868 — CVSS 8.7 (high): When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance mode…
CVE-2025-31644 — CVSS 8.7 (high): When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh)…
CVE-2025-23239 — CVSS 8.7 (high): When running in Appliance mode, and logged into a highly-privileged role, an authenticated remote command injection vulnerability exists in…
CVE-2024-22093 — CVSS 8.7 (high): When running in appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint on…
CVE-2026-42930 — CVSS 8.7 (high): When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode…
CVE-2023-43746 — CVSS 8.7 (high): When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions…
CVE-2026-42924 — CVSS 8.7 (high): An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP…
CVE-2026-42406 — CVSS 8.7 (high): A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager…
CVE-2026-41953 — CVSS 8.7 (high): A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role…
CVE-2026-40698 — CVSS 8.7 (high): A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource…
CVE-2026-40631 — CVSS 8.7 (high): An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP…
CVE-2022-41800 — CVSS 8.7 (high): In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass…
CVE-2022-35243 — CVSS 8.7 (high): In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.5.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when running in…
CVE-2026-32673 — CVSS 8.7 (high): A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or…
CVE-2026-32643 — CVSS 8.7 (high): A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager…
CVE-2025-61958 — CVSS 8.7 (high): A vulnerability exists in the iHealth command that may allow an authenticated attacker with at least a resource administrator role to…
CVE-2025-59481 — CVSS 8.7 (high): A vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with…
CVE-2020-5945 — CVSS 8.4 (high): In BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.2.7, undisclosed TMUI page contains a stored cross site scripting…
CVE-2021-22978 — CVSS 8.3 (high): On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x…
CVE-2021-23012 — CVSS 8.2 (high): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation…
CVE-2018-5504 — CVSS 8.1 (high): In some circumstances, the Traffic Management Microkernel (TMM) does not properly handle certain malformed Websockets requests/responses…
CVE-2019-6974 — CVSS 8.1 (high): In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race…
CVE-2020-5860 — CVSS 8.1 (high): On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and…
CVE-2018-5542 — CVSS 8.1 (high): F5 BIG-IP 13.0.0-13.0.1, 12.1.0-12.1.3.6, or 11.2.1-11.6.3.2 HTTPS health monitors do not validate the identity of the monitored server.
CVE-2020-5876 — CVSS 8.1 (high): On BIG-IP 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, a race condition exists where mcpd and…
CVE-2020-5888 — CVSS 8.1 (high): On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for adjacent network…
CVE-2023-40537 — CVSS 8.1 (high): An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a…
CVE-2020-5906 — CVSS 8.1 (high): In versions 13.1.0-13.1.3.3, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, the BIG-IP system does not properly enforce the access controls for the…
CVE-2022-35728 — CVSS 8.1 (high): In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of…
CVE-2017-6164 — CVSS 8.1 (high): In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator and WebSafe software version…
CVE-2025-24320 — CVSS 8.0 (high): A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker…
CVE-2024-31156 — CVSS 8.0 (high): A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker…
CVE-2022-28707 — CVSS 8.0 (high): On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, a stored…
CVE-2026-41217 — CVSS 7.9 (high): A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource…
CVE-2019-6685 — CVSS 7.8 (high): On BIG-IP versions 15.0.0-15.0.1.1, 14.1.0-14.1.2.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, users with access…
CVE-2015-5058 — CVSS 7.8 (high): Memory leak in the virtual server component in F5 Big-IP LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, and PEM 11.5.x before…
CVE-2019-9075 — CVSS 7.8 (high): An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based…
CVE-2014-0101 — CVSS 7.8 (high): The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and…
CVE-2020-5858 — CVSS 7.8 (high): On BIG-IP 15.0.0-15.0.1.2, 14.1.0-14.1.2.2, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and…
CVE-2018-13405 — CVSS 7.8 (high): The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group…
CVE-2015-4047 — CVSS 7.8 (high): racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash)…
CVE-2013-6016 — CVSS 7.8 (high): The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, APM, ASM, Edge Gateway, GTM, Link Controller, and WOM 10.0.0 through 10.2.2 and…
CVE-2012-1493 — CVSS 7.8 (high): F5 BIG-IP appliances 9.x before 9.4.8-HF5, 10.x before 10.2.4, 11.0.x before 11.0.0-HF2, and 11.1.x before 11.1.0-HF3, and Enterprise…
CVE-2023-43611 — CVSS 7.8 (high): The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. This…
CVE-2022-26415 — CVSS 7.7 (high): On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior…
CVE-2022-41624 — CVSS 7.5 (high): In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.2, 15.1.x before 15.1.7, 14.1.x before 14.1.5.2, and 13.1.x before…
CVE-2012-3000 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in sam/admin/reports/php/saveSettings.php in the (1) APM WebGUI in F5 BIG-IP LTM, GTM, ASM, Link…
CVE-2015-5516 — CVSS 7.5 (high): Memory leak in the last hop kernel module in F5 BIG-IP LTM, GTM, and Link Controller 10.1.x, 10.2.x before 10.2.4 HF13, 11.x before 11.2.1…
CVE-2015-8022 — CVSS 7.5 (high): The Configuration utility in F5 BIG-IP LTM, Analytics, APM, ASM, GTM, and Link Controller 11.x before 11.2.1 HF16, 11.3.x, 11.4.x before…
CVE-2015-8240 — CVSS 7.5 (high): The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, and BIG-IP PEM before…
CVE-2016-4545 — CVSS 7.5 (high): Virtual servers in F5 BIG-IP 11.5.4, when SSL profiles are enabled, allow remote attackers to cause a denial of service (resource…
CVE-2016-5023 — CVSS 7.5 (high): Virtual servers in F5 BIG-IP systems 11.2.1 HF11 through HF15, 11.4.1 HF4 through HF10, 11.5.3 through 11.5.4, 11.6.0 HF5 through HF7, and…
CVE-2016-5736 — CVSS 7.5 (high): The default configuration of the IPsec IKE peer listener in F5 BIG-IP LTM, Analytics, APM, ASM, and Link Controller 11.2.1 before HF16…
CVE-2016-6876 — CVSS 7.5 (high): The RESOLV::lookup iRule command in F5 BIG-IP LTM, APM, ASM, and Link Controller 10.2.1 through 10.2.4, 11.2.1, 11.4.x, 11.5.x before…
CVE-2016-7476 — CVSS 7.5 (high): The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, AAM, AFM, APM, ASM, GTM, Link Controller, PEM, PSM, and WebSafe 11.6.0 before…
CVE-2016-9244 — CVSS 7.5 (high): A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31…
CVE-2016-9250 — CVSS 7.5 (high): In F5 BIG-IP 11.2.1, 11.4.0 through 11.6.1, and 12.0.0 through 12.1.2, an unauthenticated user with access to the control plane may be able…
CVE-2016-9252 — CVSS 7.5 (high): The Traffic Management Microkernel (TMM) in F5 BIG-IP before 11.5.4 HF3, 11.6.x before 11.6.1 HF2 and 12.x before 12.1.2 does not properly…
CVE-2017-6128 — CVSS 7.5 (high): An attacker may be able to cause a denial-of-service (DoS) attack against the sshd component in F5 BIG-IP, Enterprise Manager, BIG-IQ, and…
CVE-2017-6132 — CVSS 7.5 (high): In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and Websafe software version 13.0.0, 12.0.0 to 12.1.2…
CVE-2017-6135 — CVSS 7.5 (high): In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0, a slow memory leak as…
CVE-2017-6138 — CVSS 7.5 (high): In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2…
CVE-2017-6140 — CVSS 7.5 (high): On the BIG-IP 2000s, 2200s, 4000s, 4200v, i5600, i5800, i7600, i7800, i10600,i10800, and VIPRION 4450 blades, running version 11.5.0…
CVE-2017-6151 — CVSS 7.5 (high): In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator and WebSafe software version…
CVE-2018-14880 — CVSS 7.5 (high): The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in print-ospf6.c:ospf6_print_lshdr().
CVE-2018-15317 — CVSS 7.5 (high): In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, and 11.2.1-11.6.3.2, an attacker sending specially crafted SSL records to a…
CVE-2018-15318 — CVSS 7.5 (high): In BIG-IP 14.0.0-14.0.0.2, 13.1.0.4-13.1.1.1, or 12.1.3.4-12.1.3.6, If an MPTCP connection receives an abort signal while the initial flow…
CVE-2018-15319 — CVSS 7.5 (high): On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.6, malicious requests made to virtual servers with an HTTP profile can cause…
CVE-2018-15320 — CVSS 7.5 (high): On BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, undisclosed traffic patterns may lead to denial of service conditions for the BIG-IP system…
CVE-2018-15328 — CVSS 7.5 (high): On BIG-IP 14.0.x, 13.x, 12.x, and 11.x, Enterprise Manager 3.1.1, BIG-IQ 6.x, 5.x, and 4.x, and iWorkflow 2.x, the passphrases for SNMPv3…
CVE-2018-15330 — CVSS 7.5 (high): On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, when a virtual server using the inflate functionality to process a gzip…
CVE-2018-5390 — CVSS 7.5 (high): Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every…
CVE-2018-5391 — CVSS 7.5 (high): The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP…
CVE-2018-5502 — CVSS 7.5 (high): On F5 BIG-IP versions 13.0.0 - 13.1.0.3, attackers may be able to disrupt services on the BIG-IP system with maliciously crafted client…
CVE-2018-5507 — CVSS 7.5 (high): On F5 BIG-IP versions 13.0.0, 12.1.0-12.1.3.1, 11.6.1-11.6.2, or 11.5.1-11.5.5, vCMP guests running on VIPRION 2100, 4200 and 4300 series…
CVE-2018-5510 — CVSS 7.5 (high): On F5 BIG-IP 11.5.4 HF4-11.5.5, the Traffic Management Microkernel (TMM) may restart when processing a specific sequence of packets on IPv6…
CVE-2018-5512 — CVSS 7.5 (high): On F5 BIG-IP 13.1.0-13.1.0.5, when Large Receive Offload (LRO) and SYN cookies are enabled (default settings), undisclosed traffic patterns…
CVE-2018-5513 — CVSS 7.5 (high): On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.3, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1, a malformed TLS handshake causes TMM to…
CVE-2018-5514 — CVSS 7.5 (high): On F5 BIG-IP 13.1.0-13.1.0.5, maliciously crafted HTTP/2 request frames can lead to denial of service. There is data plane exposure for…
CVE-2018-5517 — CVSS 7.5 (high): On F5 BIG-IP 13.1.0-13.1.0.5, malformed TCP packets sent to a self IP address or a FastL4 virtual server may cause an interruption of…
CVE-2018-5527 — CVSS 7.5 (high): On BIG-IP 13.1.0-13.1.0.7, a remote attacker using undisclosed methods against virtual servers configured with a Client SSL or Server SSL…
CVE-2018-5533 — CVSS 7.5 (high): Under certain conditions on F5 BIG-IP 13.0.0, 12.1.0-12.1.2, 11.6.0-11.6.3.1, or 11.5.0-11.5.6, TMM may core while processing SSL forward…
CVE-2018-5534 — CVSS 7.5 (high): Under certain conditions on F5 BIG-IP 13.1.0-13.1.0.5, 13.0.0, 12.1.0-12.1.3.1, 11.6.0-11.6.3.1, or 11.5.0-11.5.6, TMM may core while…
CVE-2018-5535 — CVSS 7.5 (high): On F5 BIG-IP 14.0.0, 13.0.0-13.1.0, 12.1.0-12.1.3, or 11.5.1-11.6.3 specifically crafted HTTP responses, when processed by a Virtual Server…
CVE-2018-5743 — CVSS 7.5 (high): By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections…
CVE-2019-11477 — CVSS 7.5 (high): Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when…
CVE-2019-11479 — CVSS 7.5 (high): Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend…
CVE-2019-12295 — CVSS 7.5 (high): In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by…
CVE-2019-6602 — CVSS 7.5 (high): In BIG-IP 11.5.1-11.5.8 and 11.6.1-11.6.3, the Configuration Utility login page may not follow best security practices when handling a…
CVE-2019-6603 — CVSS 7.5 (high): In BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, and 13.0.0-13.0.1, malformed TCP packets sent to a self IP address or a FastL4…
CVE-2019-6605 — CVSS 7.5 (high): On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, and 12.0.x, an undisclosed sequence of packets received by an SSL virtual server and processed by…
CVE-2019-6611 — CVSS 7.5 (high): When BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 are processing certain rare data sequences…
CVE-2019-6612 — CVSS 7.5 (high): On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, DNS query TCP connections that are aborted…
CVE-2019-6623 — CVSS 7.5 (high): On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, undisclosed traffic sent to BIG-IP iSession virtual server…
CVE-2019-6624 — CVSS 7.5 (high): On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, an undisclosed traffic pattern sent to a BIG-IP UDP virtual…
CVE-2019-6629 — CVSS 7.5 (high): On BIG-IP 14.1.0-14.1.0.5, undisclosed SSL traffic to a virtual server configured with a Client SSL profile may cause TMM to fail and…
CVE-2019-6631 — CVSS 7.5 (high): On BIG-IP 11.5.1-11.6.4, iRules performing HTTP header manipulation may cause an interruption to service when processing traffic handled by…
CVE-2019-6643 — CVSS 7.5 (high): On versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, 12.1.0-12.1.4.1, and 11.5.2-11.6.4, an attacker sending specifically crafted…
CVE-2019-6645 — CVSS 7.5 (high): On BIG-IP 14.0.0-14.1.0.5, 13.0.0-13.1.2, 12.1.0-12.1.4.1, 11.5.2-11.6.4, FTP traffic passing through a Virtual Server with both an active…
CVE-2019-6659 — CVSS 7.5 (high): On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming…
CVE-2019-6660 — CVSS 7.5 (high): On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed HTTP requests may consume excessive amounts of systems resources…
CVE-2019-6664 — CVSS 7.5 (high): On BIG-IP 15.0.0 and 14.1.0-14.1.0.6, under certain conditions, network protections on the management port do not follow current best…
CVE-2019-6666 — CVSS 7.5 (high): On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, and 13.1.0-13.1.1.4, the TMM process may produce a core file when an upstream…
CVE-2019-6667 — CVSS 7.5 (high): On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.1.0-13.1.1.5, 12.1.0-12.1.4.1, and 11.5.1-11.6.5, under certain conditions…
CVE-2019-6669 — CVSS 7.5 (high): On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.1-11.6.5.1, undisclosed traffic flow may…
CVE-2019-6671 — CVSS 7.5 (high): On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.3.1, under certain conditions tmm may leak memory when processing…
CVE-2019-6676 — CVSS 7.5 (high): On versions 15.0.0-15.0.1, 14.0.0-14.1.2.2, and 13.1.0-13.1.3.1, TMM may restart on BIG-IP Virtual Edition (VE) when using virtio direct…
CVE-2019-6677 — CVSS 7.5 (high): On BIG-IP versions 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, and 12.1.0-12.1.5, under certain conditions when using…
CVE-2019-6680 — CVSS 7.5 (high): On BIG-IP versions 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5, while processing traffic…
CVE-2019-6683 — CVSS 7.5 (high): On versions 15.0.0-15.0.1.1, 14.1.0-14.1.2.2, 14.0.0-14.0.1, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, BIG-IP virtual servers…
CVE-2019-6684 — CVSS 7.5 (high): On versions 15.0.0-15.0.1.1, 14.0.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, under certain conditions, a multi-bladed…
CVE-2020-27715 — CVSS 7.5 (high): On BIG-IP 15.1.0-15.1.0.5 and 14.1.0-14.1.3, crafted TLS request to the BIG-IP management interface via port 443 can cause high (~100%) CPU…
CVE-2020-27721 — CVSS 7.5 (high): In versions 16.0.0-16.0.0.1, 15.1.0-15.1.1, 14.1.0-14.1.3, 13.1.0-13.1.3.5, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, in a BIG-IP DNS / BIG-IP…
CVE-2020-5852 — CVSS 7.5 (high): Undisclosed traffic patterns received may cause a disruption of service to the Traffic Management Microkernel (TMM). This vulnerability…
CVE-2020-5856 — CVSS 7.5 (high): On BIG-IP 15.0.0-15.0.1.1 and 14.1.0-14.1.2.2, while processing specifically crafted traffic using the default 'xnet' driver, Virtual…
CVE-2020-5857 — CVSS 7.5 (high): On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, undisclosed HTTP behavior may lead to a…
CVE-2020-5859 — CVSS 7.5 (high): On BIG-IP 15.1.0.1, specially formatted HTTP/3 messages may cause TMM to produce a core file.
CVE-2020-5861 — CVSS 7.5 (high): On BIG-IP 12.1.0-12.1.5, the TMM process may produce a core file in some cases when Ram Cache incorrectly optimizes stored data resulting…
CVE-2020-5862 — CVSS 7.5 (high): On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.2, under certain conditions, TMM may crash or stop processing new traffic…
CVE-2020-5871 — CVSS 7.5 (high): On BIG-IP 14.1.0-14.1.2.3, undisclosed requests can lead to a denial of service (DoS) when sent to BIG-IP HTTP/2 virtual servers. The…
CVE-2020-5872 — CVSS 7.5 (high): On BIG-IP 14.1.0-14.1.2.3, 14.0.0-14.0.1, 13.1.0-13.1.3.1, and 12.1.0-12.1.4.1, when processing TLS traffic with hardware cryptographic…
CVE-2020-5875 — CVSS 7.5 (high): On BIG-IP 15.0.0-15.0.1 and 14.1.0-14.1.2.3, under certain conditions, the Traffic Management Microkernel (TMM) may generate a core file…
CVE-2020-5877 — CVSS 7.5 (high): On BIG-IP 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, malformed input to the DATAGRAM::tcp…
CVE-2020-5878 — CVSS 7.5 (high): On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.3, Traffic Management Microkernel (TMM) may restart on BIG-IP Virtual…
CVE-2020-5881 — CVSS 7.5 (high): On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, when the BIG-IP Virtual Edition (VE) is configured with VLAN groups and…
CVE-2020-5882 — CVSS 7.5 (high): On BIG-IP 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5, and 11.6.1-11.6.5.1, under certain conditions, the Intel…
CVE-2020-5918 — CVSS 7.5 (high): In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic…
CVE-2020-5921 — CVSS 7.5 (high): in BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.6, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2, Syn flood…
CVE-2020-5925 — CVSS 7.5 (high): In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.6, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, undisclosed…
CVE-2020-5926 — CVSS 7.5 (high): In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, and 14.1.0-14.1.2.6, a BIG-IP virtual server with a Session Initiation Protocol (SIP)…
CVE-2020-5930 — CVSS 7.5 (high): In BIG-IP 15.0.0-15.1.0.4, 14.1.0-14.1.2.7, 13.1.0-13.1.3.3, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2 and BIG-IQ 5.2.0-7.1.0, unauthenticated…
CVE-2020-5931 — CVSS 7.5 (high): On BIG-IP 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, Virtual servers with a OneConnect…
CVE-2020-5933 — CVSS 7.5 (high): On versions 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, when a BIG-IP system that has a…
CVE-2020-5939 — CVSS 7.5 (high): In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.3, 15.0.0-15.0.1.3, 14.1.0-14.1.2.6, and 13.1.0-13.1.3.4, BIG-IP Virtual Edition (VE) systems on…
CVE-2020-5941 — CVSS 7.5 (high): On BIG-IP versions 16.0.0-16.0.0.1 and 15.1.0-15.1.0.5, using the RESOLV::lookup command within an iRule may cause the Traffic Management…
CVE-2020-5949 — CVSS 7.5 (high): On BIG-IP versions 14.0.0-14.0.1 and 13.1.0-13.1.3.4, certain traffic pattern sent to a virtual server configured with an FTP profile can…
CVE-2021-22973 — CVSS 7.5 (high): On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x versions…
CVE-2021-22974 — CVSS 7.5 (high): On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of…
CVE-2021-22975 — CVSS 7.5 (high): On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, and 14.1.x before 14.1.3.1, under some circumstances, Traffic Management…
CVE-2021-22977 — CVSS 7.5 (high): On BIG-IP version 16.0.0-16.0.1 and 14.1.2.4-14.1.3, cooperation between malicious HTTP client code and a malicious server may cause TMM to…
CVE-2021-22999 — CVSS 7.5 (high): On versions 15.0.x before 15.1.0 and 14.1.x before 14.1.4, the BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x…
CVE-2021-23000 — CVSS 7.5 (high): On BIG-IP versions 13.1.3.4-13.1.3.6 and 12.1.5.2, if the tmm.http.rfc.enforcement BigDB key is enabled in a BIG-IP system, or the Bad host…
CVE-2021-23003 — CVSS 7.5 (high): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2021-23004 — CVSS 7.5 (high): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3…
CVE-2021-23009 — CVSS 7.5 (high): On BIG-IP version 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a…
CVE-2021-23011 — CVSS 7.5 (high): On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x…
CVE-2021-23013 — CVSS 7.5 (high): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3…
CVE-2021-23034 — CVSS 7.5 (high): On BIG-IP version 16.x before 16.1.0 and 15.1.x before 15.1.3.1, when a DNS profile using a DNS cache resolver is configured on a virtual…
CVE-2021-23035 — CVSS 7.5 (high): On BIG-IP 14.1.x before 14.1.4.4, when an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked…
CVE-2021-23039 — CVSS 7.5 (high): On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.2.8, and all versions of 13.1.x and 12.1.x, when IPSec is…