Download
Beveilingsadvies; NCSC-2026-0162 [1.0.0]
- Beveiligingsadvies
- NCSC-2026-0162 [1.0.0]
- Publicatie
- 15-05-2026 14:07 (Europe/Amsterdam)
- Prioriteit
- Normaal
- Betreft
- Kwetsbaarheden verholpen in F5 BIG-IP en BIG-IQ producten
Kenmerken
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Path Traversal: '.../...//'
- Improper Neutralization of Special Elements used in a Command ('Command Injection')
- Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- Stack-based Buffer Overflow
- Incorrect Calculation of Buffer Size
- Exposure of Sensitive Information to an Unauthorized Actor
- Execution with Unnecessary Privileges
- Unchecked Return Value
- Incorrect Privilege Assignment
- Privilege Defined With Unsafe Actions
- Least Privilege Violation
- Cleartext Storage of Sensitive Information
- Cross-Site Request Forgery (CSRF)
- Use After Free
- Unprotected Alternate Channel
- NULL Pointer Dereference
- Deserialization of Untrusted Data
- Insertion of Sensitive Information into Log File
- Files or Directories Accessible to External Parties
- Improper Neutralization of Data within XPath Expressions ('XPath Injection')
- Incorrect Use of Privileged APIs
- Incorrect Permission Assignment for Critical Resource
- Allocation of Resources Without Limits or Throttling
- Missing Release of Resource after Effective Lifetime
- Access of Uninitialized Pointer
- Loop with Unreachable Exit Condition ('Infinite Loop')
Omschrijving
F5 heeft meerdere kwetsbaarheden verholpen in de BIG-IP en BIG-IQ productlijnen, inclusief componenten zoals iControl REST, iControl SOAP, TMOS Shell, Traffic Management Microkernel (TMM), Configuration utility, Advanced WAF, ASM, PEM, DNS, Access Policy Manager (APM) en SSL Orchestrator.
De kwetsbaarheden betreffen onder andere directory traversal, ongeautoriseerde bestandswijzigingen, blootstelling van gevoelige SSH-wachtwoorden in API-responses en auditlogs, privilege escalatie via onjuiste permissie-toewijzingen, remote command injection, cross-account informatielekken, en onverwachte procesafsluitingen (zoals van TMM, httpd, apmd en bd processen) door specifieke configuraties of ongedocumenteerde verkeerspatronen.
Exploitatie vereist doorgaans geauthenticeerde toegang met rollen variƫrend van Manager, Resource Administrator tot Administrator, afhankelijk van de kwetsbaarheid. Sommige kwetsbaarheden maken het mogelijk om configuratieobjecten te wijzigen, wat kan leiden tot het uitvoeren van willekeurige commando's met verhoogde privileges.
Andere kwetsbaarheden betreffen het lekken van gevoelige informatie via onjuiste toegangscontrole of onvoldoende validatie binnen managementinterfaces. Diverse kwetsbaarheden zijn specifiek voor Appliance mode of bepaalde configuratieprofielen zoals SSL, HTTP/2, SIP, LDAP authenticatie, en SNMP configuraties. De impact omvat onder meer het omzeilen van beveiligingscontroles, het escaleren van privileges, het lekken van gevoelige gegevens, en het verstoren van de beschikbaarheid en stabiliteit van netwerk- en applicatiebeheercomponenten. Niet-ondersteunde softwareversies zijn in de meeste gevallen niet geƫvalueerd voor deze kwetsbaarheden.
Oplossingen
F5 heeft updates uitgebracht om de kwetsbaarheden in de BIG-IP en BIG-IQ producten te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Referenties
- https://my.f5.com/manage/s/article/K000160975
- https://my.f5.com/manage/s/article/K000160979
- https://my.f5.com/manage/s/article/K000160981
- https://my.f5.com/manage/s/article/K000161018
- https://my.f5.com/manage/s/article/K000161022
- https://my.f5.com/manage/s/article/K000161023
- https://my.f5.com/manage/s/article/K000161040
- https://my.f5.com/manage/s/article/K000161056
- https://my.f5.com/manage/s/article/K000161107
- https://my.f5.com/manage/s/article/K000149743
- https://my.f5.com/manage/s/article/K000156581
- https://my.f5.com/manage/s/article/K000156604
- https://my.f5.com/manage/s/article/K000156761
- https://my.f5.com/manage/s/article/K000156734
- https://my.f5.com/manage/s/article/K000157895
- https://my.f5.com/manage/s/article/K000157981
- https://my.f5.com/manage/s/article/K000158038
- https://my.f5.com/manage/s/article/K000158070
- https://my.f5.com/manage/s/article/K000158082
- https://my.f5.com/manage/s/article/K000158971
- https://my.f5.com/manage/s/article/K000158978
- https://my.f5.com/manage/s/article/K000158979
- https://my.f5.com/manage/s/article/K000159021
- https://my.f5.com/manage/s/article/K000159034
- https://my.f5.com/manage/s/article/K000160727
- https://my.f5.com/manage/s/article/K000160788
- https://my.f5.com/manage/s/article/K000160857
- https://my.f5.com/manage/s/article/K000160862
- https://my.f5.com/manage/s/article/K000160863
- https://my.f5.com/manage/s/article/K000160874
- https://my.f5.com/manage/s/article/K000160875
- https://my.f5.com/manage/s/article/K000160876
- https://my.f5.com/manage/s/article/K000160901
- https://my.f5.com/manage/s/article/K000160903
- https://my.f5.com/manage/s/article/K000160911
- https://my.f5.com/manage/s/article/K000160916
- https://my.f5.com/manage/s/article/K000160926
- https://my.f5.com/manage/s/article/K000160945
- https://my.f5.com/manage/s/article/K000160971
- https://my.f5.com/manage/s/article/K000160972
- https://my.f5.com/manage/s/article/K000160973
CVE's
- CVE-2026-24464 - CVSS (v4) 6.9
- CVE-2026-28758 - CVSS (v4) 6.7
- CVE-2026-32643 - CVSS (v4) 8.5
- CVE-2026-32673 - CVSS (v4) 8.5
- CVE-2026-34176 - CVSS (v4) 8.5
- CVE-2026-35062 - CVSS (v4) 7.1
- CVE-2026-39455 - CVSS (v4) 8.7
- CVE-2026-39458 - CVSS (v4) 8.7
- CVE-2026-39459 - CVSS (v4) 8.6
- CVE-2026-40060 - CVSS (v4) 8.7
- CVE-2026-40061 - CVSS (v4) 8.5
- CVE-2026-40067 - CVSS (v4) 8.7
- CVE-2026-40423 - CVSS (v4) 8.7
- CVE-2026-40435 - CVSS (v4) 6.9
- CVE-2026-40462 - CVSS (v4) 7.1
- CVE-2026-40618 - CVSS (v4) 8.7
- CVE-2026-40629 - CVSS (v4) 8.7
- CVE-2026-40631 - CVSS (v4) 8.5
- CVE-2026-40698 - CVSS (v4) 8.5
- CVE-2026-40699 - CVSS (v4) 7.1
- CVE-2026-40703 - CVSS (v4) 5.3
- CVE-2026-41217 - CVSS (v4) 8.3
- CVE-2026-41218 - CVSS (v4) 8.7
- CVE-2026-41219 - CVSS (v4) 7.1
- CVE-2026-41225 - CVSS (v4) 8.6
- CVE-2026-41227 - CVSS (v4) 8.7
- CVE-2026-41953 - CVSS (v4) 8.5
- CVE-2026-41954 - CVSS (v4) 6.9
- CVE-2026-41956 - CVSS (v4) 8.7
- CVE-2026-41957 - CVSS (v4) 8.7
- CVE-2026-41959 - CVSS (v4) 7.1
- CVE-2026-42058 - CVSS (v4) 5.3
- CVE-2026-42063 - CVSS (v4) 6.9
- CVE-2026-42406 - CVSS (v4) 8.5
- CVE-2026-42408 - CVSS (v4) 6.7
- CVE-2026-42409 - CVSS (v4) 8.7
- CVE-2026-42780 - CVSS (v4) 6.9
- CVE-2026-42781 - CVSS (v4) 7.1
- CVE-2026-42919 - CVSS (v4) 7.1
- CVE-2026-42920 - CVSS (v4) 8.7
- CVE-2026-42924 - CVSS (v4) 8.5
- CVE-2026-42930 - CVSS (v4) 8.5
- CVE-2026-42937 - CVSS (v4) 7.1
Producten
F5
Disclaimer
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.