{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/icontrol-rest/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-39459"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["iControl REST","TMOS Shell (tmsh)"],"_cs_severities":["high"],"_cs_tags":["cve","rce","f5","privilege escalation"],"_cs_type":"advisory","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-39459 is a critical vulnerability affecting F5\u0026rsquo;s iControl REST API and TMOS Shell (tmsh). The vulnerability allows a highly privileged, authenticated attacker with at least the Manager role to execute arbitrary commands on the target system. This is achieved by creating malicious configuration objects that, when processed, lead to command execution. The vulnerability poses a significant threat to F5 deployments, as a compromised Manager account could lead to complete system takeover. Exploitation requires prior authentication and the Manager role (or higher), limiting the attack surface but amplifying the potential impact in case of a successful compromise. The affected products are iControl REST and TMOS Shell (tmsh).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an account with at least the Manager role on the F5 system.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the iControl REST API or TMOS Shell (tmsh) using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious configuration object designed to execute arbitrary commands when processed by the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the iControl REST API or TMOS Shell (tmsh) to create the malicious configuration object. This could involve sending a POST request to a specific endpoint or using tmsh commands.\u003c/li\u003e\n\u003cli\u003eThe system processes the newly created configuration object. This processing triggers the execution of the embedded arbitrary commands due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands with elevated privileges, potentially compromising the entire F5 system.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots within the network, leveraging the compromised F5 system as a beachhead for further attacks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data exfiltration, service disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39459 allows a privileged attacker to execute arbitrary commands on the F5 system. This could lead to complete system compromise, including data theft, service disruption, and lateral movement within the network. Given the critical role of F5 devices in network infrastructure, a successful attack could have widespread and severe consequences, impacting numerous applications and services. The impact is amplified by the high privileges gained through exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch or mitigation provided by F5 Networks as soon as possible. Refer to the F5 Networks advisory \u003ca href=\"https://my.f5.com/manage/s/article/K000160863\"\u003ehttps://my.f5.com/manage/s/article/K000160863\u003c/a\u003e for detailed instructions.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege, ensuring that users are granted only the minimum necessary permissions to perform their tasks. This can help reduce the attack surface and limit the potential impact of a compromised account.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious activity in the iControl REST API and TMOS Shell (tmsh) logs. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious TMOS Shell Activity\u003c/code\u003e to detect unusual tmsh command executions.\u003c/li\u003e\n\u003cli\u003eRegularly review user accounts and permissions on F5 systems, looking for any unauthorized or unnecessary privileges.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication and authorization mechanisms, such as multi-factor authentication (MFA), to protect against unauthorized access to F5 systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:21:41Z","date_published":"2026-05-13T16:21:41Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-39459-f5-rce/","summary":"CVE-2026-39459 describes a vulnerability in F5's iControl REST and TMOS Shell (tmsh) where a privileged, authenticated attacker with at least the Manager role can execute arbitrary commands by creating malicious configuration objects.","title":"CVE-2026-39459 - F5 iControl REST and TMOS Shell (tmsh) Arbitrary Command Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-39459-f5-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-41225"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["iControl REST"],"_cs_severities":["critical"],"_cs_tags":["cve","rce","f5","icontrol"],"_cs_type":"advisory","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-41225 is a critical vulnerability affecting F5 iControl REST. It enables a highly privileged attacker, authenticated with at least the Manager role, to create malicious configuration objects. This flaw stems from an incorrect use of privileged APIs, potentially allowing the injection of arbitrary commands. Successful exploitation leads to Remote Code Execution (RCE) on the affected system, compromising its integrity and availability. Note that End of Technical Support (EoTS) software versions are not evaluated for this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the iControl REST interface with Manager-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious configuration object containing commands for execution.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the iControl REST API to create or modify the malicious configuration object.\u003c/li\u003e\n\u003cli\u003eThe vulnerable API endpoint processes the configuration object without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe system executes the attacker-supplied commands within the context of the iControl REST process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the underlying system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform lateral movement, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe ultimate impact is full system compromise, including the ability to disrupt services, steal sensitive information, or install persistent backdoors.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41225 allows a privileged attacker to achieve arbitrary command execution. This can lead to a full system compromise, potentially affecting critical network infrastructure and services. The high CVSS score (9.1) reflects the significant risk posed by this vulnerability. Organizations using affected versions of F5 iControl REST are at risk of data breaches, service disruption, and other severe security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security updates provided by F5 Networks to remediate CVE-2026-41225.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for iControl REST access to limit the impact of potential compromises.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict lateral movement following a successful exploit.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect iControl REST Configuration Object Manipulation\u0026rdquo; to identify suspicious activity related to configuration object creation or modification via the iControl REST API.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging for iControl REST API calls to aid in incident investigation and detection efforts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:17:56Z","date_published":"2026-05-13T16:17:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-icontrol-rce/","summary":"CVE-2026-41225 allows a highly privileged, authenticated attacker with at least the Manager role to create configuration objects in F5 iControl REST, leading to arbitrary command execution.","title":"F5 iControl REST RCE Vulnerability (CVE-2026-41225)","url":"https://feed.craftedsignal.io/briefs/2026-05-icontrol-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — IControl REST","version":"https://jsonfeed.org/version/1.1"}