CVE Catalog

CVE-2026-28758

MediumCVSS 4.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.08%

0th percentile - higher than 0% of all known CVEs

Summary

When BIG-IP DNS is provisioned, a vulnerability in the gtm_add and bigip_add iControl REST commands returns the ssh-password parameter in cleartext in the REST response and logs it in the audit log. This allows a highly privileged, authenticated attacker with audit log access to view sensitive information.

Risk Assessment

The organization risks exposure of SSH passwords, potentially leading to unauthorized access to managed systems and privilege escalation within the infrastructure.

Recommendation

Immediately apply security patches provided by the vendor and restrict audit log access to trusted administrators only.

Original NVD description (English source)

When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add and bigip_add iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to the audit log to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Vulnerability data from NVD (NIST) · CISA KEV · EPSS