CVE-2026-28758 F5 CVE debrief

Who should care

System administrators and security teams responsible for BIG-IP DNS installations should be aware of this vulnerability. They should review their current configurations, assess potential exposure, and take necessary actions to mitigate the risk. This includes checking for affected versions and applying patches or workarounds as recommended by the vendor.

Technical summary

The vulnerability is caused by the insecure handling of sensitive information in the iControl REST commands gtm_add and bigip_add. When BIG-IP DNS is provisioned, these commands return the ssh-password parameter in cleartext. This cleartext password is also logged in the audit log. An attacker with high privileges and access to the audit log could exploit this vulnerability to view sensitive information.

Defensive priority

This vulnerability has a CVSS score of 6.7 and is classified as MEDIUM severity. While it requires a highly privileged, authenticated attacker, the potential impact of sensitive information disclosure warrants prompt attention.

Recommended defensive actions

• Review BIG-IP DNS configurations and assess potential exposure.
• Check for affected versions (16.1.0 to 16.1.6, 17.1.0 to 17.1.3.1, 17.5.0 to 17.5.1) and apply patches or workarounds as recommended by F5.
• Limit access to audit logs to prevent unauthorized viewing of sensitive information.
• Implement additional monitoring to detect potential exploitation attempts.
• Consider compensating controls, such as enhanced authentication or access controls, for sensitive areas of the system.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. The vendor advisory (K000158070) offers mitigation guidance. The vulnerability affects multiple BIG-IP DNS versions, and patching is recommended.

Official resources