CVE-2026-28758 Overview
CVE-2026-28758 is an information disclosure vulnerability in F5 BIG-IP DNS [CWE-312: Cleartext Storage of Sensitive Information]. When BIG-IP DNS is provisioned, the gtm_add and bigip_add iControl REST commands return the ssh-password parameter in cleartext within the API response. The same cleartext credential is also written to the audit log. A highly privileged, authenticated attacker with access to the audit log can read these credentials and reuse them to access other systems. F5 notes that software versions which have reached End of Technical Support are not evaluated.
Critical Impact
Cleartext SSH passwords are exposed in iControl REST responses and audit logs, enabling credential harvesting by privileged users with log access.
Affected Products
- F5 BIG-IP DNS (when DNS module is provisioned)
- iControl REST gtm_add command
- iControl REST bigip_add command
Discovery Timeline
- 2026-05-13 - CVE-2026-28758 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28758
Vulnerability Analysis
The vulnerability resides in how BIG-IP DNS handles the ssh-password parameter passed to two iControl REST helper commands. The gtm_add and bigip_add commands are used to establish trust and synchronization relationships between BIG-IP devices. Both commands accept an SSH password to authenticate against peer devices during the trust establishment workflow.
Instead of redacting or masking the sensitive parameter, the iControl REST handler echoes the supplied ssh-password value back in the API response body in cleartext. The same value is then persisted to the BIG-IP audit log, which records administrative API activity. Anyone with read access to the audit log can recover SSH credentials used for inter-device trust setup.
The vulnerability requires local access and high privileges. Exploitation does not enable remote unauthenticated compromise, but it does enable credential theft and lateral movement within a BIG-IP cluster or to managed peer devices.
Root Cause
The root cause is failure to apply output sanitization to a credential parameter [CWE-312]. The REST endpoint treats ssh-password as a routine request field rather than a secret. No filtering is applied before serializing the response or writing the audit log entry.
Attack Vector
An authenticated administrator or any account with audit log read permission can review historical log entries to extract cleartext SSH passwords. The attacker can also capture credentials in real time by observing iControl REST responses when another administrator invokes gtm_add or bigip_add. Recovered credentials may then be used to access peer BIG-IP devices over SSH.
No verified public exploit code is available. The vulnerability mechanism is described in the F5 Security Advisory K000158070.
Detection Methods for CVE-2026-28758
Indicators of Compromise
- Audit log entries containing gtm_add or bigip_add invocations with visible cleartext ssh-password field values.
- iControl REST response bodies referencing the ssh-password parameter outside of an active trust setup workflow.
- Unexpected SSH authentications to BIG-IP peer devices originating from accounts that previously read the audit log.
Detection Strategies
- Parse the BIG-IP audit log for the strings gtm_add, bigip_add, and ssh-password to enumerate exposed credentials.
- Correlate audit log read events with subsequent SSH login activity on BIG-IP DNS peers to surface potential credential reuse.
- Review iControl REST access logs for non-administrator accounts retrieving historical command output.
Monitoring Recommendations
- Forward BIG-IP audit logs to a centralized log platform and apply alerts on the ssh-password token appearing in any record.
- Track all role assignments that grant audit log read permission and alert on additions.
- Monitor for SSH password changes on BIG-IP devices following any audit log access by non-privileged operators.
How to Mitigate CVE-2026-28758
Immediate Actions Required
- Apply the fixed software version listed in F5 Security Advisory K000158070 for supported BIG-IP DNS releases.
- Rotate any SSH passwords that were previously passed to gtm_add or bigip_add on affected systems.
- Restrict audit log read access to a minimal set of trusted administrators and review existing grants.
- Purge or restrict access to historical audit log entries containing exposed credentials.
Patch Information
F5 has published remediation guidance in F5 Security Advisory K000158070. Software versions that have reached End of Technical Support are not evaluated by F5 and should be upgraded to a supported, patched release. Customers should consult the advisory for the specific fixed version corresponding to their deployed branch.
Workarounds
- Limit iControl REST and audit log access to dedicated administrator accounts only, applying least privilege to all BIG-IP roles.
- Avoid invoking gtm_add and bigip_add with persistent SSH passwords; use one-time credentials and rotate them immediately after trust setup.
- Stream audit logs off-box to a controlled SIEM and redact ssh-password fields before archival where supported.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
