CVE-2026-41954 F5 CVE debrief

Who should care

Administrators and users of F5 products, especially those with resource administrator role privileges, should be aware of this vulnerability and take necessary actions to mitigate it. The affected products include BIG-IP Access Policy Manager, BIG-IP Advanced Firewall Manager, and others. Users should review the CVE record and vendor advisory for more information.

Technical summary

The vulnerability exists in undisclosed iControl REST endpoint and TMOS Shell (tmsh) command of F5 products. An authenticated attacker with resource administrator role privileges may be able to view sensitive information. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The weakness is classified as CWE-200.

Defensive priority

This vulnerability has a medium severity and requires attention from administrators and users of F5 products. The priority is to review the CVE record, vendor advisory, and affected products, and take necessary actions to mitigate the vulnerability.

Recommended defensive actions

• Review the CVE record and vendor advisory for more information
• Check if the F5 products in use are affected by the vulnerability
• Apply mitigation guidance provided by F5 in article K32950402
• Monitor for any updates or patches from F5
• Consider implementing compensating controls to reduce the attack surface

Evidence notes

The CVE record and vendor advisory provide information on the vulnerability, affected products, and mitigation guidance. The CVSS score and severity are also provided. However, the exact scope of affected products and the availability of patches or updates are not clear.

Official resources