Skip to content
Threat Feed
high advisory

CVE-2026-32673 - F5 BIG-IP Scripted Monitor Privilege Escalation

CVE-2026-32673 allows an authenticated attacker with Resource Administrator or Administrator roles to execute arbitrary system commands with higher privileges in F5 BIG-IP scripted monitors, potentially crossing a security boundary in appliance mode deployments.

CVE-2026-32673 is a vulnerability affecting F5 BIG-IP scripted monitors. An authenticated attacker possessing either the Resource Administrator or Administrator role can exploit this flaw to execute arbitrary system commands with elevated privileges. The successful exploitation of this vulnerability in appliance mode deployments allows the attacker to bypass security boundaries, gaining unauthorized access to sensitive system resources. Note that F5 does not evaluate software versions that have reached End of Technical Support (EoTS) for this vulnerability.

Attack Chain

  1. The attacker authenticates to the BIG-IP system with Resource Administrator or Administrator privileges.
  2. The attacker accesses the BIG-IP configuration interface.
  3. The attacker creates or modifies a scripted monitor.
  4. Within the scripted monitor, the attacker injects malicious system commands.
  5. The BIG-IP system executes the scripted monitor.
  6. The injected commands are executed with elevated privileges.
  7. In appliance mode deployments, the attacker may cross a security boundary due to the elevated privileges.
  8. The attacker gains unauthorized access to sensitive system resources and can perform administrative actions.

Impact

Successful exploitation of CVE-2026-32673 allows an attacker to execute arbitrary system commands with higher privileges on the affected BIG-IP system. In appliance mode deployments, this can lead to a breach of security boundaries, potentially granting the attacker complete control over the system. The number of victims and specific sectors targeted are currently unknown. However, given the widespread use of BIG-IP in critical infrastructure and enterprise networks, the potential impact is significant.

Recommendation

  • Apply the updates or mitigations provided by F5 Networks as detailed in their advisory [https://my.f5.com/manage/s/article/K000161040].
  • Deploy the Sigma rule “Detect CVE-2026-32673 Exploitation - Scripted Monitor Command Injection” to detect potential exploitation attempts in your environment.
  • Review and restrict access to the Resource Administrator and Administrator roles on BIG-IP systems to minimize the attack surface.
  • Monitor BIG-IP systems for suspicious activity, including unusual command execution within scripted monitors.

Detection coverage 2

Detect CVE-2026-32673 Exploitation - Scripted Monitor Command Injection

high

Detects CVE-2026-32673 exploitation — attempts to inject system commands into BIG-IP scripted monitors.

sigma tactics: privilege_escalation techniques: T1068 sources: webserver

Detect BIG-IP Administrator Login

info

Detects successful login by a BIG-IP administrator.

sigma tactics: initial_access techniques: T1078 sources: webserver

Detection queries are available on the platform. Get full rules →