Can anyone clarify more about this vulnerability?is that mean if we have xxx.com and secure by WAF , one use have admin privilage to xxx.com can expolit this vulnerability?or they mean admin privilage to f5 ? https://my.f5.com/manage/s/article/K000133474

Hello THE_BLUE all CVE's that F5 documents in its Security Advisory series specifically refer to vulnerabilities that affect/compromise F5 products only, in this case BIG-IP. Any application that runs on-top of the BIG-IP, like an HTTP portal, will not be covered. So, unless xxx.com resolves to an IP address on the BIG-IP that allows Configuration Utility access (webI or SSH), it shoudn't be considered as an attack vector.

BIG-IP Configuration utility vulnerability CVE-2023-38138

Forum Discussion

Forum Discussion

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

What configuration issue am I experiencing with this 130-domain VS ?

F5 System Scanner - How I deployed it at scale

Ivanti MDM Core & F5 LTM/ASM with mTLS

F5 BIGIP & XC certbot plugin

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

Related Content

HTTP/2 bomb attack - is BIG-IP vulnerable against CVE-2026-49975?

OpenSSH vulnerability

Mitigating Log4j Vulnerability using F5 BIG-IP

Managing iRules configuration

Coordinated Vulnerability Disclosure: A Balanced Approach