CVE-2017-6144

high

CVSS v3 Base Score

7.4

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.2%

Exploitation probability in 30 days

Top 62% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Confidentiality

High

Integrity

High

Availability

None

Published: October 20, 2017 (3127 days ago)

Last Modified: May 13, 2026

Vendor: F5

Source: NVD

Description

In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Allocation Code (TAC) database file via HTTPS, the server's certificate is not verified. Attackers in a privileged network position may be able to launch a man-in-the-middle attack against these connections. TAC databases are used in BIG-IP PEM for Device Type and OS (DTOS) and Tethering detection. Customers not using BIG-IP PEM, not configuring downloads of TAC database files, or not using HTTP for that download are not affected.

CWE

CWE-295

Affected Products

f5 big-ip policy enforcement manager

References

🔗 support.f5.com 🔗 support.f5.com

CVE-2017-6144

Vulnerability Report

Description

CWE

Affected Products

References