CVE-2026-39459 - F5 iControl REST and TMOS Shell (tmsh) Arbitrary Command Execution

CVE-2026-39459 is a critical vulnerability affecting F5’s iControl REST API and TMOS Shell (tmsh). The vulnerability allows a highly privileged, authenticated attacker with at least the Manager role to execute arbitrary commands on the target system. This is achieved by creating malicious configuration objects that, when processed, lead to command execution. The vulnerability poses a significant threat to F5 deployments, as a compromised Manager account could lead to complete system takeover. Exploitation requires prior authentication and the Manager role (or higher), limiting the attack surface but amplifying the potential impact in case of a successful compromise. The affected products are iControl REST and TMOS Shell (tmsh).

Attack Chain

1. The attacker gains unauthorized access to an account with at least the Manager role on the F5 system.
2. The attacker authenticates to the iControl REST API or TMOS Shell (tmsh) using the compromised credentials.
3. The attacker crafts a malicious configuration object designed to execute arbitrary commands when processed by the system.
4. The attacker uses the iControl REST API or TMOS Shell (tmsh) to create the malicious configuration object. This could involve sending a POST request to a specific endpoint or using tmsh commands.
5. The system processes the newly created configuration object. This processing triggers the execution of the embedded arbitrary commands due to the vulnerability.
6. The attacker executes commands with elevated privileges, potentially compromising the entire F5 system.
7. The attacker pivots within the network, leveraging the compromised F5 system as a beachhead for further attacks.
8. The attacker achieves their final objective, which could include data exfiltration, service disruption, or further lateral movement within the network.

Impact

Successful exploitation of CVE-2026-39459 allows a privileged attacker to execute arbitrary commands on the F5 system. This could lead to complete system compromise, including data theft, service disruption, and lateral movement within the network. Given the critical role of F5 devices in network infrastructure, a successful attack could have widespread and severe consequences, impacting numerous applications and services. The impact is amplified by the high privileges gained through exploitation.

Recommendation

• Apply the security patch or mitigation provided by F5 Networks as soon as possible. Refer to the F5 Networks advisory https://my.f5.com/manage/s/article/K000160863 for detailed instructions.
• Enforce the principle of least privilege, ensuring that users are granted only the minimum necessary permissions to perform their tasks. This can help reduce the attack surface and limit the potential impact of a compromised account.
• Monitor for suspicious activity in the iControl REST API and TMOS Shell (tmsh) logs. Deploy the Sigma rule Detect Suspicious TMOS Shell Activity to detect unusual tmsh command executions.
• Regularly review user accounts and permissions on F5 systems, looking for any unauthorized or unnecessary privileges.
• Implement strong authentication and authorization mechanisms, such as multi-factor authentication (MFA), to protect against unauthorized access to F5 systems.