F5 has fixed two high-risk vulnerabilities in BIG-IP Next Central Manager that could allow attackers to gain full administrative control on devices. Attackers could leak admin password hashes and then crack them offline. These vulnerabilities could also allow attackers to create hidden accounts on downstream devices. The flaws were reported to F5 by security firm Eclypsium, who found five separate security issues. F5 issued advisories for two of them: an OData injection and an SQL injection. Both flaws were fixed in version 20.2.0 of BIG-IP Next Central Manager.