CVE-2026-41225 F5 CVE debrief

Who should care

Organizations using F5 products, particularly those with iControl REST enabled, should be aware of this vulnerability. Highly privileged users with at least the Manager role are at risk. F5 customers should review their inventory and apply mitigations or patches as recommended by the vendor.

Technical summary

The vulnerability exists in iControl REST, allowing highly privileged authenticated attackers to create configuration objects that can run arbitrary commands. This affects various F5 products, including BIG-IP Access Policy Manager, Advanced Firewall Manager, Advanced Web Application Firewall, and others. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Highly privileged users with at least the Manager role in F5 iControl REST are at risk. Immediate review of user roles and access controls is recommended.

Recommended defensive actions

• Review and limit highly privileged user access to iControl REST.
• Apply patches or mitigations recommended by F5 for affected products.
• Monitor iControl REST activity for suspicious command execution.
• Implement compensating controls to detect and prevent arbitrary command execution.
• Regularly update and patch F5 products to prevent exploitation.

Evidence notes

The CVE record and NVD detail provide comprehensive information on the vulnerability, including affected products and CVSS scoring. F5 has provided mitigation guidance via their support article K000160916.

Official resources