Skip to main content

CVE-2015-3628

9.0
CVSS v2.0 Base Score
75.21%
HIGH RiskEPSS (99th percentile)
CWE-264

The iControl API in F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.3.0 before 11.5.3 HF2 and 11.6.0 before 11.6.0 HF6, BIG-IP AAM 11.4.0 before 11.5.3 HF2 and 11.6.0 before 11.6.0 HF6, BIG-IP Edge Gateway, WebAccelerator, and WOM 11.3.0, BIG-IP GTM 11.3.0 before 11.6.0 HF6, BIG-IP PSM 11.3.0 through 11.4.1, Enterprise Manager 3.1.0 through 3.1.1, BIG-IQ Cloud and Security 4.0.0 through 4.5.0, BIG-IQ Device 4.2.0 through 4.5.0, and BIG-IQ ADC 4.5.0 allows remote authenticated users with the "Resource Administrator" role to gain privileges via an iCall (1) script or (2) handler in a SOAP request to iControl/iControlPortal.cgi.

Published: 12/7/2015
Modified: 5/6/2026
Back to CVE Lookup

Vulnerability Summary

CVSS v2 Score

9

AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS Score (Exploitation Probability)

75.21%HIGH Exploitation Risk
99th percentile

This vulnerability has a 75.21% probability of being exploited in the next 30 days, ranking higher than 99% of all scored CVEs.

CWE Classification

CWE-264

Related Vulnerabilities

Same Weakness Type(CWE-264)

CVE-2025-5321MEDIUM 6.3

A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

5/29/2025
CVE-2023-3599MEDIUM 6.3

A vulnerability was found in SourceCodester Best Fee Management System 1.0. It has been rated as critical. Affected by this issue is the function save_user of the file admin_class.php of the component Add User Handler. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-233450 is the identifier assigned to this vulnerability.

7/10/2023
CVE-2022-36246CRITICAL 9.8

Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to Insecure Permissions.

5/30/2023
CVE-2022-41781MEDIUM 6.5

Broken Access Control vulnerability in Permalink Manager Lite plugin <= 2.2.20 on WordPress.

11/18/2022
CVE-2022-36793MEDIUM 6.5

Unauthenticated Plugin Settings Change & Data Deletion vulnerabilities in WP Shop plugin <= 3.9.6 at WordPress.

9/9/2022

Learn More

CVSS Calculator

Calculate and understand CVSS scores

Understanding CVSS Scoring

Learn how severity scores are calculated and what they mean

CVE Prioritization Guide

Best practices for deciding which vulnerabilities to address first

What is a CVE?

Essential guide to Common Vulnerabilities and Exposures