{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/big-ip/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-42930"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP"],"_cs_severities":["high"],"_cs_tags":["vulnerability","privilege-escalation","f5"],"_cs_type":"advisory","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-42930 describes a privilege escalation vulnerability affecting F5 BIG-IP systems running in Appliance mode. An authenticated attacker who has already been assigned the \u0026lsquo;Administrator\u0026rsquo; role can leverage this flaw to bypass the intended restrictions enforced by Appliance mode. The vulnerability exists because the appliance mode restrictions are not properly enforced for authenticated administrators. Successful exploitation allows the administrator to perform actions beyond the intended scope of their role, potentially leading to full system compromise. This vulnerability was disclosed on May 13, 2026. Defenders should be aware of the potential for administrators with compromised credentials to exploit this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid \u0026lsquo;Administrator\u0026rsquo; credentials to the BIG-IP system through credential compromise or insider threat.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the BIG-IP system\u0026rsquo;s management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to perform actions that should be restricted by Appliance mode.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the system fails to properly enforce Appliance mode restrictions for the authenticated administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully executes privileged commands or modifies system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges further by installing malicious software or modifying critical system files.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the BIG-IP system, potentially disrupting network services or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42930 can lead to a complete compromise of the BIG-IP system. An attacker could disrupt network services, exfiltrate sensitive data, or use the compromised system as a launchpad for further attacks within the network. Given that BIG-IP systems are often deployed at the network edge, this vulnerability poses a significant risk to the organization\u0026rsquo;s overall security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor BIG-IP systems for unauthorized activity performed by administrator accounts, using the rule \u003ccode\u003eDetect BIG-IP Appliance Mode Bypass\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for administrator accounts on BIG-IP systems.\u003c/li\u003e\n\u003cli\u003eConsult F5\u0026rsquo;s advisory K000160876 for specific mitigation guidance.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates from F5 Networks to address CVE-2026-42930 when released.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual process execution on BIG-IP systems using the \u003ccode\u003eDetect Suspicious Process Execution on BIG-IP\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:26:19Z","date_published":"2026-05-13T16:26:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-bigip-bypass/","summary":"CVE-2026-42930 allows an authenticated attacker with 'Administrator' privileges to bypass Appliance mode restrictions on F5 BIG-IP systems.","title":"CVE-2026-42930: F5 BIG-IP Appliance Mode Restriction Bypass","url":"https://feed.craftedsignal.io/briefs/2026-05-bigip-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-42924"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","snmp","f5","cve-2026-42924"],"_cs_type":"advisory","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-42924 is a privilege escalation vulnerability in F5 BIG-IP. An authenticated attacker with either the Resource Administrator or Administrator role can exploit this flaw by crafting malicious SNMP configuration objects via iControl SOAP. Successful exploitation leads to privilege escalation within the BIG-IP system. The vulnerability is triggered due to insufficient validation or sanitization when creating SNMP configuration objects. This allows an attacker to insert malicious configurations, leading to elevated privileges. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the F5 BIG-IP system with Resource Administrator or Administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SNMP configuration object. This object contains commands or configurations designed to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses iControl SOAP API to send a request to create the malicious SNMP configuration object.\u003c/li\u003e\n\u003cli\u003eThe iControl SOAP API processes the request without proper validation of the SNMP configuration object.\u003c/li\u003e\n\u003cli\u003eThe malicious SNMP configuration object is created within the BIG-IP system.\u003c/li\u003e\n\u003cli\u003eThe malicious SNMP configuration allows the attacker to execute commands with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the escalated privileges to perform unauthorized actions on the BIG-IP system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42924 allows an attacker to gain elevated privileges on the F5 BIG-IP system. This can lead to full control of the device, potentially allowing the attacker to intercept network traffic, modify configurations, or disrupt services. The specific impact depends on the attacker\u0026rsquo;s objectives and the configuration of the BIG-IP system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch or upgrade to a fixed version of F5 BIG-IP to address CVE-2026-42924.\u003c/li\u003e\n\u003cli\u003eMonitor iControl SOAP API requests for suspicious activity related to SNMP configuration creation (see rule \u0026ldquo;Detect Suspicious iControl SOAP SNMP Configuration Creation\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the number of users with Resource Administrator or Administrator privileges.\u003c/li\u003e\n\u003cli\u003eAudit existing SNMP configurations for any unauthorized or malicious entries.\u003c/li\u003e\n\u003cli\u003eReview F5\u0026rsquo;s advisory K000160926 for mitigation and remediation guidance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:26:04Z","date_published":"2026-05-13T16:26:04Z","id":"https://feed.craftedsignal.io/briefs/2026-05-f5-snmp-privesc/","summary":"CVE-2026-42924 allows an authenticated attacker with Resource Administrator or Administrator privileges to escalate privileges by creating malicious SNMP configuration objects through iControl SOAP.","title":"F5 BIG-IP CVE-2026-42924 iControl SOAP SNMP Configuration Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-f5-snmp-privesc/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-42920"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP"],"_cs_severities":["medium"],"_cs_tags":["cve","dos","f5"],"_cs_type":"threat","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-42920 is a high-severity vulnerability affecting F5 BIG-IP systems. The vulnerability resides in the Traffic Management Microkernel (TMM). When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, specifically crafted, yet undisclosed, network traffic can trigger a termination of the TMM process. This can lead to a denial-of-service condition. Exploitation of this issue does not require authentication. The vulnerability details were published on May 13, 2026. Software versions which have reached End of Technical Support (EoTS) are not evaluated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the limited information, the attack chain is inferred based on the vulnerability description:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target BIG-IP system with a UDP virtual server configured with a Client SSL profile and Allow Dynamic Record Sizing enabled.\u003c/li\u003e\n\u003cli\u003eAttacker crafts specialized network packets, leveraging the undisclosed vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker sends the malicious UDP packets to the vulnerable virtual server.\u003c/li\u003e\n\u003cli\u003eThe packets are processed by the TMM, triggering a vulnerability due to the dynamic record sizing logic.\u003c/li\u003e\n\u003cli\u003eThe TMM process encounters an unhandled exception or infinite loop, leading to its termination (CWE-835).\u003c/li\u003e\n\u003cli\u003eThe BIG-IP system experiences a denial-of-service condition as the TMM process is no longer operational.\u003c/li\u003e\n\u003cli\u003eAvailability of services handled by the affected virtual server are interrupted.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42920 results in the termination of the Traffic Management Microkernel (TMM), leading to a denial-of-service condition. This impacts the availability of services provided by the affected BIG-IP virtual server. The vulnerability has a CVSS v3.1 score of 7.5, indicating a high level of severity. The number of potential victims is dependent on the number of BIG-IP systems with vulnerable configurations exposed to malicious traffic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConsult F5\u0026rsquo;s advisory K000160901 for affected versions and mitigation steps.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for anomalies targeting UDP virtual servers with Client SSL profiles and dynamic record sizing enabled.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect BIG-IP TMM Termination Traffic\u003c/code\u003e to detect potential exploitation attempts based on traffic patterns (see below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:25:51Z","date_published":"2026-05-13T16:25:51Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-42920/","summary":"CVE-2026-42920 describes a vulnerability where undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate when a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server.","title":"CVE-2026-42920 - F5 BIG-IP TMM Termination Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-42920/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-42406"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP","BIG-IQ"],"_cs_severities":["high"],"_cs_tags":["cve","cve-2026-42406","f5","big-ip","big-iq","rce","authenticated","privilege escalation"],"_cs_type":"advisory","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-42406 is a vulnerability affecting F5 BIG-IP and BIG-IQ systems. A threat actor with high privileges and valid authentication credentials, specifically requiring at least the Certificate Manager role, can exploit this flaw. By modifying configuration objects within the system, the attacker can inject and execute arbitrary commands. This vulnerability poses a significant risk to organizations using these F5 products, as successful exploitation can lead to complete system compromise and unauthorized access to sensitive data. Software versions which have reached End of Technical Support (EoTS) are not evaluated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the BIG-IP or BIG-IQ system through valid credentials with at least Certificate Manager privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the administrative interface of the BIG-IP or BIG-IQ system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies modifiable configuration objects within the system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a configuration object to inject malicious commands.\u003c/li\u003e\n\u003cli\u003eThe system processes the modified configuration object.\u003c/li\u003e\n\u003cli\u003eThe injected commands are executed within the system context.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed commands to escalate privileges, move laterally within the network, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42406 can lead to complete compromise of the BIG-IP or BIG-IQ system. This can result in unauthorized access to sensitive data, disruption of services, and the potential for further lateral movement within the network. Given the critical role that BIG-IP and BIG-IQ systems play in network infrastructure, a successful attack can have significant consequences for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the mitigations recommended in F5\u0026rsquo;s security advisory [https://my.f5.com/manage/s/article/K000160971].\u003c/li\u003e\n\u003cli\u003eMonitor authentication logs for suspicious login activity to the BIG-IP or BIG-IQ administrative interface.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting configuration changes by highly privileged accounts to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to ensure the principle of least privilege is enforced.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:25:19Z","date_published":"2026-05-13T16:25:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-42406-f5-rce/","summary":"CVE-2026-42406 allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects in F5 BIG-IP and BIG-IQ systems, leading to arbitrary command execution.","title":"CVE-2026-42406 - F5 BIG-IP and BIG-IQ Authenticated Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-42406-f5-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-41957"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP","BIG-IQ"],"_cs_severities":["high"],"_cs_tags":["cve-2026-41957","rce","f5","big-ip","big-iq","authenticated","deserialization"],"_cs_type":"advisory","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-41957 describes an authenticated remote code execution (RCE) vulnerability affecting the F5 BIG-IP and BIG-IQ Configuration utility. The specific attack vectors remain undisclosed. An attacker with valid credentials could exploit this vulnerability to execute arbitrary code on the target system. Given the critical role of BIG-IP and BIG-IQ in network infrastructure, successful exploitation can lead to significant disruption, data breaches, and further lateral movement within the network. Software versions which have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains valid credentials to access the BIG-IP or BIG-IQ Configuration utility.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the Configuration utility using the acquired credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request targeting the undisclosed vulnerable component within the Configuration utility.\u003c/li\u003e\n\u003cli\u003eThe malicious request triggers deserialization of untrusted data (CWE-502).\u003c/li\u003e\n\u003cli\u003eThe deserialization process leads to the execution of arbitrary code on the system.\u003c/li\u003e\n\u003cli\u003eAttacker establishes a reverse shell or other remote access mechanism.\u003c/li\u003e\n\u003cli\u003eAttacker performs post-exploitation activities, such as gathering sensitive information or moving laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41957 can allow an authenticated attacker to execute arbitrary code on the affected BIG-IP or BIG-IQ system. This can lead to complete system compromise, allowing attackers to steal sensitive data, disrupt network services, and potentially pivot to other systems within the network. Given the central role of F5 products in many organizations\u0026rsquo; network infrastructure, the impact of this vulnerability could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security updates released by F5 Networks to patch CVE-2026-41957 as soon as possible. Refer to F5\u0026rsquo;s advisory \u003ca href=\"https://my.f5.com/manage/s/article/K000156761\"\u003ehttps://my.f5.com/manage/s/article/K000156761\u003c/a\u003e for specific details and affected versions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detects CVE-2026-41957 Exploitation Attempt — Suspicious URI Access\u0026rdquo; to monitor web server logs for potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to reduce the risk of credential compromise, mitigating the initial access vector required to exploit CVE-2026-41957.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:25:07Z","date_published":"2026-05-13T16:25:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-41957-rce/","summary":"An authenticated remote code execution vulnerability (CVE-2026-41957) exists in the F5 BIG-IP and BIG-IQ Configuration utility, potentially leading to arbitrary code execution on affected systems.","title":"CVE-2026-41957: F5 BIG-IP and BIG-IQ Authenticated Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-41957-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-41953"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","f5","big-ip"],"_cs_type":"advisory","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-41953 describes a vulnerability in F5 BIG-IP systems. An attacker with high privileges (Resource Administrator role or higher) and valid authentication can exploit this vulnerability to escalate their privileges. This is achieved by modifying configuration objects in a way that grants them higher access than initially intended. This vulnerability affects BIG-IP systems; software versions that have reached End of Technical Support (EoTS) are not evaluated. This vulnerability can be exploited by an insider threat or an attacker who has already compromised a highly privileged account. Successful exploitation allows the attacker to gain complete control over the BIG-IP system, potentially impacting network security and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker obtains valid credentials for a BIG-IP account with at least the Resource Administrator role.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the BIG-IP management interface (GUI or CLI) using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a configuration object that, when modified, can grant them elevated privileges. This could involve modifying user roles, access policies, or system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the management interface or API to modify the identified configuration object.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s modifications are applied to the BIG-IP system configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker logs out and logs back in with the same account, or the system is restarted in order for the new privileges to be in effect.\u003c/li\u003e\n\u003cli\u003eThe attacker now has elevated privileges, allowing them to perform actions beyond the scope of their original role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to compromise other systems, exfiltrate data, or disrupt network operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41953 allows an attacker to escalate their privileges on a BIG-IP system. This can lead to complete control over the BIG-IP device, allowing them to reconfigure security policies, intercept network traffic, or disrupt services. The impact could include unauthorized access to sensitive data, network outages, and the compromise of other systems within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or hotfixes from F5 Networks to address CVE-2026-41953 as soon as possible.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for BIG-IP user accounts, limiting the number of users with the Resource Administrator role.\u003c/li\u003e\n\u003cli\u003eMonitor BIG-IP system logs for unauthorized configuration changes, particularly modifications to user roles and access policies. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious BIG-IP Configuration Changes\u003c/code\u003e to identify potentially malicious configuration modifications.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all BIG-IP user accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:24:40Z","date_published":"2026-05-13T16:24:40Z","id":"https://feed.craftedsignal.io/briefs/2026-05-bigip-privesc/","summary":"CVE-2026-41953 describes a privilege escalation vulnerability in F5 BIG-IP systems where a highly privileged, authenticated attacker with the Resource Administrator role can modify configuration objects, leading to elevated privileges within the system.","title":"BIG-IP Privilege Escalation via Configuration Modification (CVE-2026-41953)","url":"https://feed.craftedsignal.io/briefs/2026-05-bigip-privesc/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-40698"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP","BIG-IQ"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","snmp"],"_cs_type":"threat","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-40698 is a privilege escalation vulnerability affecting F5 BIG-IP and BIG-IQ systems. A remote, authenticated attacker who possesses at least Resource Administrator privileges can exploit this vulnerability to gain higher-level privileges within the system. The vulnerability stems from the ability to create arbitrary SNMP configuration objects through either the iControl REST API or the TMOS shell (tmsh). This can lead to the attacker gaining unauthorized control over the affected system. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated as part of this vulnerability disclosure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the BIG-IP or BIG-IQ system with Resource Administrator privileges.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SNMP configuration object using iControl REST API.\u003c/li\u003e\n\u003cli\u003eAttacker sends the malicious configuration object to the iControl REST endpoint.\u003c/li\u003e\n\u003cli\u003eAlternatively, attacker crafts a malicious SNMP configuration object using the TMOS shell (tmsh).\u003c/li\u003e\n\u003cli\u003eAttacker executes the crafted SNMP configuration object via the TMOS shell.\u003c/li\u003e\n\u003cli\u003eThe system processes the malicious SNMP configuration object.\u003c/li\u003e\n\u003cli\u003eThe malicious SNMP configuration object is created.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the newly created SNMP configuration object to escalate privileges to gain unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40698 allows an attacker with Resource Administrator privileges to escalate their privileges within the BIG-IP or BIG-IQ system. This can lead to complete system compromise, allowing the attacker to modify configurations, access sensitive data, and potentially disrupt services. The specific impact depends on the scope of the escalated privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch or upgrade to a fixed version of BIG-IP or BIG-IQ as recommended by F5 Networks to remediate CVE-2026-40698 (\u003ca href=\"https://my.f5.com/manage/s/article/K000160981)\"\u003ehttps://my.f5.com/manage/s/article/K000160981)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious SNMP Configuration via iControl REST\u0026rdquo; to detect potentially malicious SNMP configuration creation via iControl REST API.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious SNMP Configuration via TMOS Shell\u0026rdquo; to detect potentially malicious SNMP configuration creation via TMOS shell.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:23:30Z","date_published":"2026-05-13T16:23:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40698-f5-privesc/","summary":"CVE-2026-40698 allows a highly privileged, authenticated attacker with Resource Administrator privileges in F5 BIG-IP and BIG-IQ systems to create SNMP configuration objects via iControl REST or TMOS shell (tmsh), resulting in privilege escalation.","title":"F5 BIG-IP and BIG-IQ iControl REST/TMOS Shell Privilege Escalation Vulnerability (CVE-2026-40698)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40698-f5-privesc/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-32643"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP","BIG-IQ"],"_cs_severities":["high"],"_cs_tags":["cve","command execution","privilege escalation","f5"],"_cs_type":"advisory","_cs_vendors":["F5"],"content_html":"\u003cp\u003eCVE-2026-32643 is a vulnerability affecting F5 BIG-IP and BIG-IQ systems. A highly privileged, authenticated attacker possessing at least the Certificate Manager role can exploit this vulnerability. Successful exploitation allows the attacker to modify configuration objects, which in turn enables the execution of arbitrary commands on the affected system. This vulnerability poses a significant risk, potentially leading to complete system compromise if exploited. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access and obtains valid credentials with at least Certificate Manager role privileges on the BIG-IP or BIG-IQ system.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the BIG-IP or BIG-IQ management interface (GUI or API).\u003c/li\u003e\n\u003cli\u003eAttacker identifies configuration objects that can be modified to inject arbitrary commands. This may involve examining existing configuration settings or leveraging known vulnerable parameters.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the identified configuration object to include malicious commands. This could involve injecting shell commands or scripts into fields that are later executed by the system.\u003c/li\u003e\n\u003cli\u003eAttacker triggers the execution of the modified configuration object. This may involve restarting services, applying configuration changes, or invoking specific functions within the BIG-IP or BIG-IQ system.\u003c/li\u003e\n\u003cli\u003eThe injected commands are executed with the privileges of the BIG-IP or BIG-IQ system, allowing the attacker to perform actions such as installing malware, creating new user accounts, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the command execution to further compromise the system or network, potentially gaining access to sensitive data or other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32643 allows an attacker to execute arbitrary commands on the affected BIG-IP or BIG-IQ system. This can lead to a complete compromise of the system, including the ability to install malware, steal sensitive data, or disrupt critical services. Given the central role of BIG-IP and BIG-IQ systems in network infrastructure, a successful attack could have widespread consequences, impacting numerous organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch or upgrade to a non-vulnerable version of BIG-IP or BIG-IQ as recommended by F5. Refer to F5\u0026rsquo;s advisory \u003ca href=\"https://my.f5.com/manage/s/article/K000160972\"\u003ehttps://my.f5.com/manage/s/article/K000160972\u003c/a\u003e for specific instructions.\u003c/li\u003e\n\u003cli\u003eRestrict access to the BIG-IP and BIG-IQ management interface to only authorized personnel and enforce strong authentication measures.\u003c/li\u003e\n\u003cli\u003eReview existing user roles and permissions to ensure that only necessary privileges are granted. Limit the number of users with the Certificate Manager role.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:20:37Z","date_published":"2026-05-13T16:20:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-32643/","summary":"CVE-2026-32643 describes a vulnerability in F5 BIG-IP and BIG-IQ systems that allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects, leading to arbitrary command execution.","title":"CVE-2026-32643: F5 BIG-IP and BIG-IQ Authenticated Command Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-32643/"}],"language":"en","title":"CraftedSignal Threat Feed — BIG-IP","version":"https://jsonfeed.org/version/1.1"}