This vulnerability arises from improper permission assignments for critical resources within F5 BIG-IP's iControl REST API and TMOS shell (tmsh) undisclosed command interface. An attacker with valid authentication privileges could exploit this weakness to gain unauthorized read access to sensitive information. The issue is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource). Affected versions include 21.0.0, 17.5.0, 17.1.0, and 16.1.0. The CVSS 3.1 base score is 6.5, reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality only.

Successful exploitation allows an authenticated attacker to view sensitive information due to incorrect permission assignments. There is no impact on system integrity or availability. The confidentiality impact is high, but the overall severity is medium due to the requirement for attacker authentication and lack of user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, organizations should monitor F5's advisories for updates. In the meantime, restrict access to iControl REST and TMOS shell interfaces to trusted administrators only and enforce strong authentication controls to limit exposure.