CVE-2026-32643: F5 BIG-IP and BIG-IQ Authenticated Command Execution

CVE-2026-32643 is a vulnerability affecting F5 BIG-IP and BIG-IQ systems. A highly privileged, authenticated attacker possessing at least the Certificate Manager role can exploit this vulnerability. Successful exploitation allows the attacker to modify configuration objects, which in turn enables the execution of arbitrary commands on the affected system. This vulnerability poses a significant risk, potentially leading to complete system compromise if exploited. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.

Attack Chain

1. Attacker gains initial access and obtains valid credentials with at least Certificate Manager role privileges on the BIG-IP or BIG-IQ system.
2. Attacker authenticates to the BIG-IP or BIG-IQ management interface (GUI or API).
3. Attacker identifies configuration objects that can be modified to inject arbitrary commands. This may involve examining existing configuration settings or leveraging known vulnerable parameters.
4. Attacker modifies the identified configuration object to include malicious commands. This could involve injecting shell commands or scripts into fields that are later executed by the system.
5. Attacker triggers the execution of the modified configuration object. This may involve restarting services, applying configuration changes, or invoking specific functions within the BIG-IP or BIG-IQ system.
6. The injected commands are executed with the privileges of the BIG-IP or BIG-IQ system, allowing the attacker to perform actions such as installing malware, creating new user accounts, or exfiltrating sensitive data.
7. Attacker leverages the command execution to further compromise the system or network, potentially gaining access to sensitive data or other systems.

Impact

Successful exploitation of CVE-2026-32643 allows an attacker to execute arbitrary commands on the affected BIG-IP or BIG-IQ system. This can lead to a complete compromise of the system, including the ability to install malware, steal sensitive data, or disrupt critical services. Given the central role of BIG-IP and BIG-IQ systems in network infrastructure, a successful attack could have widespread consequences, impacting numerous organizations.

Recommendation

• Apply the security patch or upgrade to a non-vulnerable version of BIG-IP or BIG-IQ as recommended by F5. Refer to F5’s advisory https://my.f5.com/manage/s/article/K000160972 for specific instructions.
• Restrict access to the BIG-IP and BIG-IQ management interface to only authorized personnel and enforce strong authentication measures.
• Review existing user roles and permissions to ensure that only necessary privileges are granted. Limit the number of users with the Certificate Manager role.