CVE-2026-28758
Severity CVSS v4.0:
MEDIUM
Type:
CWE-312
Cleartext Storage of Sensitive Information
Publication date:
13/05/2026
Last modified:
29/06/2026
Description
When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add and bigip_add iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to the audit log to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Impact
Base Score 4.0
6.70
Severity 4.0
MEDIUM
Base Score 3.x
4.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* | 16.1.0 (including) | 16.1.6 (including) |
| cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* | 17.1.0 (including) | 17.1.3.1 (excluding) |
| cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* | 17.5.0 (including) | 17.5.1 (including) |
To consult the complete list of CPE names with products and versions, see this page



