CVE-2026-41957: F5 BIG-IP and BIG-IQ Authenticated Remote Code Execution Vulnerability

CVE-2026-41957 describes an authenticated remote code execution (RCE) vulnerability affecting the F5 BIG-IP and BIG-IQ Configuration utility. The specific attack vectors remain undisclosed. An attacker with valid credentials could exploit this vulnerability to execute arbitrary code on the target system. Given the critical role of BIG-IP and BIG-IQ in network infrastructure, successful exploitation can lead to significant disruption, data breaches, and further lateral movement within the network. Software versions which have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.

Attack Chain

1. Attacker gains valid credentials to access the BIG-IP or BIG-IQ Configuration utility.
2. Attacker authenticates to the Configuration utility using the acquired credentials.
3. Attacker crafts a malicious request targeting the undisclosed vulnerable component within the Configuration utility.
4. The malicious request triggers deserialization of untrusted data (CWE-502).
5. The deserialization process leads to the execution of arbitrary code on the system.
6. Attacker establishes a reverse shell or other remote access mechanism.
7. Attacker performs post-exploitation activities, such as gathering sensitive information or moving laterally within the network.

Impact

Successful exploitation of CVE-2026-41957 can allow an authenticated attacker to execute arbitrary code on the affected BIG-IP or BIG-IQ system. This can lead to complete system compromise, allowing attackers to steal sensitive data, disrupt network services, and potentially pivot to other systems within the network. Given the central role of F5 products in many organizations’ network infrastructure, the impact of this vulnerability could be significant.

Recommendation

• Apply the security updates released by F5 Networks to patch CVE-2026-41957 as soon as possible. Refer to F5’s advisory https://my.f5.com/manage/s/article/K000156761 for specific details and affected versions.
• Deploy the Sigma rule “Detects CVE-2026-41957 Exploitation Attempt — Suspicious URI Access” to monitor web server logs for potential exploitation attempts.
• Implement strong password policies and multi-factor authentication to reduce the risk of credential compromise, mitigating the initial access vector required to exploit CVE-2026-41957.