https://feed.craftedsignal.io/products/big-iq/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 16:25:19 +0000https://feed.craftedsignal.io/briefs/2026-05-cve-2026-42406-f5-rce/Wed, 13 May 2026 16:25:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-42406-f5-rce/CVE-2026-42406 allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects in F5 BIG-IP and BIG-IQ systems, leading to arbitrary command execution.CVE-2026-42406 is a vulnerability affecting F5 BIG-IP and BIG-IQ systems. A threat actor with high privileges and valid authentication credentials, specifically requiring at least the Certificate Manager role, can exploit this flaw. By modifying configuration objects within the system, the attacker can inject and execute arbitrary commands. This vulnerability poses a significant risk to organizations using these F5 products, as successful exploitation can lead to complete system compromise and unauthorized access to sensitive data. Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Attack Chain

1. The attacker gains initial access to the BIG-IP or BIG-IQ system through valid credentials with at least Certificate Manager privileges.
2. The attacker authenticates to the administrative interface of the BIG-IP or BIG-IQ system.
3. The attacker identifies modifiable configuration objects within the system.
4. The attacker modifies a configuration object to inject malicious commands.
5. The system processes the modified configuration object.
6. The injected commands are executed within the system context.
7. The attacker achieves arbitrary command execution on the system.
8. The attacker leverages the executed commands to escalate privileges, move laterally within the network, or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-42406 can lead to complete compromise of the BIG-IP or BIG-IQ system. This can result in unauthorized access to sensitive data, disruption of services, and the potential for further lateral movement within the network. Given the critical role that BIG-IP and BIG-IQ systems play in network infrastructure, a successful attack can have significant consequences for affected organizations.

Recommendation

• Apply the mitigations recommended in F5’s security advisory [https://my.f5.com/manage/s/article/K000160971].
• Monitor authentication logs for suspicious login activity to the BIG-IP or BIG-IQ administrative interface.
• Deploy the Sigma rule detecting configuration changes by highly privileged accounts to your SIEM and tune for your environment.
• Review user roles and permissions to ensure the principle of least privilege is enforced.

]]>highadvisorycvecve-2026-42406f5big-ipbig-iqrceauthenticatedprivilege escalationhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-41957-rce/Wed, 13 May 2026 16:25:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-41957-rce/An authenticated remote code execution vulnerability (CVE-2026-41957) exists in the F5 BIG-IP and BIG-IQ Configuration utility, potentially leading to arbitrary code execution on affected systems.CVE-2026-41957 describes an authenticated remote code execution (RCE) vulnerability affecting the F5 BIG-IP and BIG-IQ Configuration utility. The specific attack vectors remain undisclosed. An attacker with valid credentials could exploit this vulnerability to execute arbitrary code on the target system. Given the critical role of BIG-IP and BIG-IQ in network infrastructure, successful exploitation can lead to significant disruption, data breaches, and further lateral movement within the network. Software versions which have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.

Attack Chain

1. Attacker gains valid credentials to access the BIG-IP or BIG-IQ Configuration utility.
2. Attacker authenticates to the Configuration utility using the acquired credentials.
3. Attacker crafts a malicious request targeting the undisclosed vulnerable component within the Configuration utility.
4. The malicious request triggers deserialization of untrusted data (CWE-502).
5. The deserialization process leads to the execution of arbitrary code on the system.
6. Attacker establishes a reverse shell or other remote access mechanism.
7. Attacker performs post-exploitation activities, such as gathering sensitive information or moving laterally within the network.

Impact

Successful exploitation of CVE-2026-41957 can allow an authenticated attacker to execute arbitrary code on the affected BIG-IP or BIG-IQ system. This can lead to complete system compromise, allowing attackers to steal sensitive data, disrupt network services, and potentially pivot to other systems within the network. Given the central role of F5 products in many organizations’ network infrastructure, the impact of this vulnerability could be significant.

Recommendation

• Apply the security updates released by F5 Networks to patch CVE-2026-41957 as soon as possible. Refer to F5’s advisory https://my.f5.com/manage/s/article/K000156761 for specific details and affected versions.
• Deploy the Sigma rule “Detects CVE-2026-41957 Exploitation Attempt — Suspicious URI Access” to monitor web server logs for potential exploitation attempts.
• Implement strong password policies and multi-factor authentication to reduce the risk of credential compromise, mitigating the initial access vector required to exploit CVE-2026-41957.

]]>highadvisorycve-2026-41957rcef5big-ipbig-iqauthenticateddeserializationhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40698-f5-privesc/Wed, 13 May 2026 16:23:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40698-f5-privesc/CVE-2026-40698 allows a highly privileged, authenticated attacker with Resource Administrator privileges in F5 BIG-IP and BIG-IQ systems to create SNMP configuration objects via iControl REST or TMOS shell (tmsh), resulting in privilege escalation.CVE-2026-40698 is a privilege escalation vulnerability affecting F5 BIG-IP and BIG-IQ systems. A remote, authenticated attacker who possesses at least Resource Administrator privileges can exploit this vulnerability to gain higher-level privileges within the system. The vulnerability stems from the ability to create arbitrary SNMP configuration objects through either the iControl REST API or the TMOS shell (tmsh). This can lead to the attacker gaining unauthorized control over the affected system. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated as part of this vulnerability disclosure.

Attack Chain

1. Attacker authenticates to the BIG-IP or BIG-IQ system with Resource Administrator privileges.
2. Attacker crafts a malicious SNMP configuration object using iControl REST API.
3. Attacker sends the malicious configuration object to the iControl REST endpoint.
4. Alternatively, attacker crafts a malicious SNMP configuration object using the TMOS shell (tmsh).
5. Attacker executes the crafted SNMP configuration object via the TMOS shell.
6. The system processes the malicious SNMP configuration object.
7. The malicious SNMP configuration object is created.
8. Attacker leverages the newly created SNMP configuration object to escalate privileges to gain unauthorized access.

Impact

Successful exploitation of CVE-2026-40698 allows an attacker with Resource Administrator privileges to escalate their privileges within the BIG-IP or BIG-IQ system. This can lead to complete system compromise, allowing the attacker to modify configurations, access sensitive data, and potentially disrupt services. The specific impact depends on the scope of the escalated privileges.

Recommendation

• Apply the security patch or upgrade to a fixed version of BIG-IP or BIG-IQ as recommended by F5 Networks to remediate CVE-2026-40698 (https://my.f5.com/manage/s/article/K000160981).
• Deploy the Sigma rule “Detect Suspicious SNMP Configuration via iControl REST” to detect potentially malicious SNMP configuration creation via iControl REST API.
• Deploy the Sigma rule “Detect Suspicious SNMP Configuration via TMOS Shell” to detect potentially malicious SNMP configuration creation via TMOS shell.

]]>highthreatprivilege-escalationsnmphttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-32643/Wed, 13 May 2026 16:20:37 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-32643/CVE-2026-32643 describes a vulnerability in F5 BIG-IP and BIG-IQ systems that allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects, leading to arbitrary command execution.CVE-2026-32643 is a vulnerability affecting F5 BIG-IP and BIG-IQ systems. A highly privileged, authenticated attacker possessing at least the Certificate Manager role can exploit this vulnerability. Successful exploitation allows the attacker to modify configuration objects, which in turn enables the execution of arbitrary commands on the affected system. This vulnerability poses a significant risk, potentially leading to complete system compromise if exploited. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.

Attack Chain

1. Attacker gains initial access and obtains valid credentials with at least Certificate Manager role privileges on the BIG-IP or BIG-IQ system.
2. Attacker authenticates to the BIG-IP or BIG-IQ management interface (GUI or API).
3. Attacker identifies configuration objects that can be modified to inject arbitrary commands. This may involve examining existing configuration settings or leveraging known vulnerable parameters.
4. Attacker modifies the identified configuration object to include malicious commands. This could involve injecting shell commands or scripts into fields that are later executed by the system.
5. Attacker triggers the execution of the modified configuration object. This may involve restarting services, applying configuration changes, or invoking specific functions within the BIG-IP or BIG-IQ system.
6. The injected commands are executed with the privileges of the BIG-IP or BIG-IQ system, allowing the attacker to perform actions such as installing malware, creating new user accounts, or exfiltrating sensitive data.
7. Attacker leverages the command execution to further compromise the system or network, potentially gaining access to sensitive data or other systems.

Impact

Successful exploitation of CVE-2026-32643 allows an attacker to execute arbitrary commands on the affected BIG-IP or BIG-IQ system. This can lead to a complete compromise of the system, including the ability to install malware, steal sensitive data, or disrupt critical services. Given the central role of BIG-IP and BIG-IQ systems in network infrastructure, a successful attack could have widespread consequences, impacting numerous organizations.

Recommendation

• Apply the security patch or upgrade to a non-vulnerable version of BIG-IP or BIG-IQ as recommended by F5. Refer to F5’s advisory https://my.f5.com/manage/s/article/K000160972 for specific instructions.
• Restrict access to the BIG-IP and BIG-IQ management interface to only authorized personnel and enforce strong authentication measures.
• Review existing user roles and permissions to ensure that only necessary privileges are granted. Limit the number of users with the Certificate Manager role.

]]>highadvisorycvecommand executionprivilege escalationf5