Skip to content
Threat Feed
high advisory

CVE-2026-40061: BIG-IP DNS iControl REST/TMSH Command Injection Vulnerability

CVE-2026-40061 is a vulnerability in F5 BIG-IP DNS that allows an authenticated attacker with Resource Administrator or Administrator privileges to execute arbitrary system commands with elevated privileges via undisclosed iControl REST and TMOS Shell (tmsh) commands, potentially crossing security boundaries in Appliance mode deployments.

CVE-2026-40061 is a vulnerability affecting F5 BIG-IP DNS when provisioned. This flaw resides within an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command. Successful exploitation requires an authenticated attacker holding either the Resource Administrator or Administrator role. A successful exploit grants the attacker the ability to execute arbitrary system commands with elevated privileges. In Appliance mode deployments, successful exploitation allows the attacker to bypass security restrictions. Note that versions which have reached End of Technical Support (EoTS) are not evaluated.

Attack Chain

  1. An authenticated attacker gains access to the BIG-IP DNS system with either Resource Administrator or Administrator credentials.
  2. The attacker leverages an undisclosed iControl REST API endpoint or a BIG-IP TMOS Shell (tmsh) command.
  3. The attacker injects malicious commands into a parameter or argument of the vulnerable iControl REST API or tmsh command.
  4. The injected commands are executed by the BIG-IP system with elevated privileges.
  5. The attacker gains unauthorized access to sensitive data or system resources.
  6. In Appliance mode deployments, the attacker crosses security boundaries, gaining further access.
  7. The attacker establishes persistence through a backdoor or scheduled task.
  8. The attacker achieves complete control over the BIG-IP DNS system.

Impact

Successful exploitation of CVE-2026-40061 can lead to a complete compromise of the BIG-IP DNS system. An attacker can gain unauthorized access to sensitive data, modify system configurations, and disrupt network services. In Appliance mode deployments, the attacker can bypass security restrictions, potentially gaining access to other systems within the network. The impact could range from data breaches and service disruptions to complete system takeover.

Recommendation

  • Apply the latest security patches released by F5 Networks to address CVE-2026-40061 on BIG-IP DNS.
  • Review user roles and permissions to ensure that only authorized personnel have Resource Administrator or Administrator privileges on BIG-IP DNS.
  • Monitor BIG-IP DNS logs for suspicious activity related to iControl REST API calls and tmsh commands, using the “Detect BIG-IP DNS iControl REST/TMSH Command Injection” Sigma rule.
  • Implement network segmentation to limit the impact of a successful exploit on Appliance mode deployments.

Detection coverage 2

Detect BIG-IP DNS iControl REST/TMSH Command Injection

high

Detects CVE-2026-40061 exploitation — attempts to inject commands into iControl REST API calls or tmsh commands on BIG-IP DNS

sigma tactics: execution, privilege_escalation techniques: T1059.004 sources: webserver

Detect BIG-IP DNS TMSH Command Execution via Shell

high

Detects CVE-2026-40061 exploitation — execution of suspicious commands via tmsh shell

sigma tactics: execution, privilege_escalation techniques: T1059.004 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →