CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 2CVE-2025-31644 – Appliance mode BIG-IP iControl REST and tmsh vulnerability
https://notcve.org/view.php?id=CVE-2025-31644
07 May 2025 — When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command which may allow an authenticated attacker with administrator role privileges to execute arbitrary system commands. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. F5 BIG-IP version 16.1.4.1 suffers from a command injection vulnerability via an authen... • https://packetstorm.news/files/id/191689 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-35995 – BIG-IP PEM vulnerability
https://notcve.org/view.php?id=CVE-2025-35995
07 May 2025 — When a BIG-IP PEM system is licensed with URL categorization, and the URL categorization policy or an iRule with the urlcat command is enabled on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. When a BIG-IP PEM system is licensed with URL categorization, and the URL categorization policy or an iRule with the urlcat command is enabled on a virtual server, undi... • https://my.f5.com/manage/s/article/K000149952 • CWE-125: Out-of-bounds Read •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-36525 – BIG-IP APM PingAccess Virtual Server Vulnerability
https://notcve.org/view.php?id=CVE-2025-36525
07 May 2025 — When a BIG-IP APM virtual server is configured to use a PingAccess profile, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000150598 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.7EPSS: 0%CPEs: 7EXPL: 0CVE-2025-36504 – BIG-IP HTTP/2 vulnerability
https://notcve.org/view.php?id=CVE-2025-36504
07 May 2025 — When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000140919 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.7EPSS: 0%CPEs: 6EXPL: 0CVE-2025-41414 – BIG-IP HTTP/2 vulnerability
https://notcve.org/view.php?id=CVE-2025-41414
07 May 2025 — When HTTP/2 client and server profile is configured on a virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated • https://my.f5.com/manage/s/article/K000140968 • CWE-476: NULL Pointer Dereference •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-41433 – BIG-IP SIP ALG profile vulnerability
https://notcve.org/view.php?id=CVE-2025-41433
07 May 2025 — When a Session Initiation Protocol (SIP) message routing framework (MRF) application layer gateway (ALG) profile is configured on a Message Routing virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000140937 • CWE-476: NULL Pointer Dereference •
CVSS: 8.7EPSS: 0%CPEs: 5EXPL: 0CVE-2025-36557 – BIG-IP HTTP vulnerability
https://notcve.org/view.php?id=CVE-2025-36557
07 May 2025 — When an HTTP profile with the Enforce RFC Compliance option is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. When an HTTP profile with the Enforce RFC Compliance option is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Techni... • https://my.f5.com/manage/s/article/K000139571 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.7EPSS: 0%CPEs: 7EXPL: 0CVE-2025-41399 – SCTP Vulnerability
https://notcve.org/view.php?id=CVE-2025-41399
07 May 2025 — When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are n... • https://my.f5.com/manage/s/article/K000137709 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 9.0EPSS: 58%CPEs: 3EXPL: 3CVE-2025-20029 – BIG-IP iControl REST and tmsh vulnerability
https://notcve.org/view.php?id=CVE-2025-20029
05 Feb 2025 — Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated attacker to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. A command injection vulnerability exists in the F5 tmsh restricted CLI which allows an authenticated attacker to leverage the commands accessible by a low privilege user in order to bypass restrictions, inject arbitrary commands and obtain... • https://packetstorm.news/files/id/189390 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24320 – BIG-IP Configuration utility vulnerability
https://notcve.org/view.php?id=CVE-2025-24320
05 Feb 2025 — A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. This vulnerability is due to an incomplete fix for CVE-2024-31156 https://my.f5.com/manage/s/article/K000138636 . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000140578 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •