Attack Chain

1. The attacker authenticates to the BIG-IP system with Resource Administrator or Administrator privileges.
2. The attacker accesses the BIG-IP configuration interface.
3. The attacker creates or modifies a scripted monitor.
4. Within the scripted monitor, the attacker injects malicious system commands.
5. The BIG-IP system executes the scripted monitor.
6. The injected commands are executed with elevated privileges.
7. In appliance mode deployments, the attacker may cross a security boundary due to the elevated privileges.
8. The attacker gains unauthorized access to sensitive system resources and can perform administrative actions.

Impact

Successful exploitation of CVE-2026-32673 allows an attacker to execute arbitrary system commands with higher privileges on the affected BIG-IP system. In appliance mode deployments, this can lead to a breach of security boundaries, potentially granting the attacker complete control over the system. The number of victims and specific sectors targeted are currently unknown. However, given the widespread use of BIG-IP in critical infrastructure and enterprise networks, the potential impact is significant.

Recommendation

• Apply the updates or mitigations provided by F5 Networks as detailed in their advisory [https://my.f5.com/manage/s/article/K000161040].
• Deploy the Sigma rule “Detect CVE-2026-32673 Exploitation - Scripted Monitor Command Injection” to detect potential exploitation attempts in your environment.
• Review and restrict access to the Resource Administrator and Administrator roles on BIG-IP systems to minimize the attack surface.
• Monitor BIG-IP systems for suspicious activity, including unusual command execution within scripted monitors.