{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-32673/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-32673"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP scripted monitors"],"_cs_severities":["high"],"_cs_tags":["cve-2026-32673","privilege-escalation","command-injection","big-ip"],"_cs_type":"advisory","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-32673 is a vulnerability affecting F5 BIG-IP scripted monitors. An authenticated attacker possessing either the Resource Administrator or Administrator role can exploit this flaw to execute arbitrary system commands with elevated privileges. The successful exploitation of this vulnerability in appliance mode deployments allows the attacker to bypass security boundaries, gaining unauthorized access to sensitive system resources. Note that F5 does not evaluate software versions that have reached End of Technical Support (EoTS) for this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the BIG-IP system with Resource Administrator or Administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the BIG-IP configuration interface.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a scripted monitor.\u003c/li\u003e\n\u003cli\u003eWithin the scripted monitor, the attacker injects malicious system commands.\u003c/li\u003e\n\u003cli\u003eThe BIG-IP system executes the scripted monitor.\u003c/li\u003e\n\u003cli\u003eThe injected commands are executed with elevated privileges.\u003c/li\u003e\n\u003cli\u003eIn appliance mode deployments, the attacker may cross a security boundary due to the elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive system resources and can perform administrative actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32673 allows an attacker to execute arbitrary system commands with higher privileges on the affected BIG-IP system. In appliance mode deployments, this can lead to a breach of security boundaries, potentially granting the attacker complete control over the system. The number of victims and specific sectors targeted are currently unknown. However, given the widespread use of BIG-IP in critical infrastructure and enterprise networks, the potential impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the updates or mitigations provided by F5 Networks as detailed in their advisory [https://my.f5.com/manage/s/article/K000161040].\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-32673 Exploitation - Scripted Monitor Command Injection\u0026rdquo; to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003cli\u003eReview and restrict access to the Resource Administrator and Administrator roles on BIG-IP systems to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor BIG-IP systems for suspicious activity, including unusual command execution within scripted monitors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:20:56Z","date_published":"2026-05-13T16:20:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-32673/","summary":"CVE-2026-32673 allows an authenticated attacker with Resource Administrator or Administrator roles to execute arbitrary system commands with higher privileges in F5 BIG-IP scripted monitors, potentially crossing a security boundary in appliance mode deployments.","title":"CVE-2026-32673 - F5 BIG-IP Scripted Monitor Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-32673/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-32673","version":"https://jsonfeed.org/version/1.1"}