F5 Big-Ip Next Central Manager vulnerabilities

12 known vulnerabilities affecting f5/big-ip_next_central_manager.

Total CVEs
12
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH7MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2025-54500MEDIUMCVSS 6.9v20.3.02025-08-13
CVE-2025-54500 [MEDIUM] CWE-770 CVE-2025-54500: An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control fr An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
nvd
CVE-2025-36504HIGHCVSS 8.7v20.2.0v20.2.12025-05-07
CVE-2025-36504 [HIGH] CWE-770 CVE-2025-36504: When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
nvd
CVE-2025-41399HIGHCVSS 8.7v20.2.02025-05-07
CVE-2025-41399 [HIGH] CWE-404 CVE-2025-41399: When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisc When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
nvd
CVE-2025-24319HIGHCVSS 7.1≥ 20.2.0, < 20.3.0≥ 20.1.0, < 20.3.02025-02-05
CVE-2025-24319 [HIGH] CWE-20 CVE-2025-24319: When BIG-IP Next Central Manager is running, undisclosed requests to the BIG-IP Next Central Manager When BIG-IP Next Central Manager is running, undisclosed requests to the BIG-IP Next Central Manager API can cause the BIG-IP Next Central Manager Node's Kubernetes service to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
cvelistv5nvd
CVE-2025-23413MEDIUMCVSS 6.7≥ 20.2.0, < 20.3.0≥ 20.1.0, < 20.3.02025-02-05
CVE-2025-23413 [MEDIUM] CWE-532 CVE-2025-23413: When users log in through the webUI or API using local authentication, BIG-IP Next Central Manager m When users log in through the webUI or API using local authentication, BIG-IP Next Central Manager may log sensitive information in the pgaudit log files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
cvelistv5nvd
CVE-2024-39809HIGHCVSS 8.9v20.1.0≥ 20.1.0, < 20.2.02024-08-14
CVE-2024-39809 [HIGH] CWE-613 CVE-2024-39809: The Central Manager user session refresh token does not expire when a user logs out.  Note: Software The Central Manager user session refresh token does not expire when a user logs out. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
cvelistv5nvd
CVE-2024-37028MEDIUMCVSS 6.3≥ 20.1.0, < 20.2.12024-08-14
CVE-2024-37028 [MEDIUM] CWE-645 CVE-2024-37028: BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
cvelistv5nvd
CVE-2024-41719MEDIUMCVSS 5.1≥ 20.1.0, < 20.2.12024-08-14
CVE-2024-41719 [MEDIUM] CWE-532 CVE-2024-41719: When generating QKView of BIG-IP Next instance from the BIG-IP Next Central Manager (CM), F5 iHealt When generating QKView of BIG-IP Next instance from the BIG-IP Next Central Manager (CM), F5 iHealth credentials will be logged in the BIG-IP Central Manager logs. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
cvelistv5nvd
CVE-2024-26026HIGHCVSS 7.5≥ 20.0.1, < 20.2.02024-05-08
CVE-2024-26026 [HIGH] CWE-89 CVE-2024-26026: An SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI).  Note: Software An SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
cvelistv5nvd
CVE-2024-32049HIGHCVSS 7.4≥ 20.0.1, < 20.1.02024-05-08
CVE-2024-32049 [HIGH] CWE-300 CVE-2024-32049: BIG-IP Next Central Manager (CM) may allow an unauthenticated, remote attacker to obtain the BIG-IP BIG-IP Next Central Manager (CM) may allow an unauthenticated, remote attacker to obtain the BIG-IP Next LTM/WAF instance credentials. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
cvelistv5nvd
CVE-2024-21793HIGHCVSS 7.5≥ 20.0.1, < 20.2.02024-05-08
CVE-2024-21793 [HIGH] CWE-89 CVE-2024-21793: An OData injection vulnerability exists in the BIG-IP Next Central Manager API (URI).  Note: Softwar An OData injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
cvelistv5nvd
CVE-2024-33612MEDIUMCVSS 6.8≥ 20.0.1, < 20.2.02024-05-08
CVE-2024-33612 [MEDIUM] CWE-295 CVE-2024-33612: An improper certificate validation vulnerability exists in BIG-IP Next Central Manager and may allow An improper certificate validation vulnerability exists in BIG-IP Next Central Manager and may allow an attacker to impersonate an Instance Provider system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
cvelistv5nvd