F5 recently disclosed a CVSS 9.8 vulnerability with BIG-IP systems. This vulnerability would allow a NON-AUTHENTICATED attacker with access to the BIG-IP system to execute arbitrary system commands, create/delete files, and disable services. This does appear to be limited to just the control area, and doesn’t directly expose any data. However, any time you have this level of control the options to further the attack are pretty vast.
Looking through the mitigations that F5 provides, it appears that this vulnerability is available through the management interface and the “self IP address”. Again, this looks like a problem that could be solved simply with a default-deny posture, and only allowing connections that are absolutely necessary.
You can follow the vulnerability and read through the mitigation steps here: https://support.f5.com/csp/article/K23605346
