{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/f5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-40061"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP DNS"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","execution","cve"],"_cs_type":"advisory","_cs_vendors":["F5"],"content_html":"\u003cp\u003eCVE-2026-40061 is a vulnerability affecting F5 BIG-IP DNS when provisioned. This flaw resides within an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command. Successful exploitation requires an authenticated attacker holding either the Resource Administrator or Administrator role. A successful exploit grants the attacker the ability to execute arbitrary system commands with elevated privileges. In Appliance mode deployments, successful exploitation allows the attacker to bypass security restrictions. Note that versions which have reached End of Technical Support (EoTS) are not evaluated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker gains access to the BIG-IP DNS system with either Resource Administrator or Administrator credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages an undisclosed iControl REST API endpoint or a BIG-IP TMOS Shell (tmsh) command.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious commands into a parameter or argument of the vulnerable iControl REST API or tmsh command.\u003c/li\u003e\n\u003cli\u003eThe injected commands are executed by the BIG-IP system with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or system resources.\u003c/li\u003e\n\u003cli\u003eIn Appliance mode deployments, the attacker crosses security boundaries, gaining further access.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through a backdoor or scheduled task.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the BIG-IP DNS system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40061 can lead to a complete compromise of the BIG-IP DNS system. An attacker can gain unauthorized access to sensitive data, modify system configurations, and disrupt network services. In Appliance mode deployments, the attacker can bypass security restrictions, potentially gaining access to other systems within the network. The impact could range from data breaches and service disruptions to complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches released by F5 Networks to address CVE-2026-40061 on BIG-IP DNS.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to ensure that only authorized personnel have Resource Administrator or Administrator privileges on BIG-IP DNS.\u003c/li\u003e\n\u003cli\u003eMonitor BIG-IP DNS logs for suspicious activity related to iControl REST API calls and tmsh commands, using the \u0026ldquo;Detect BIG-IP DNS iControl REST/TMSH Command Injection\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a successful exploit on Appliance mode deployments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:22:07Z","date_published":"2026-05-13T16:22:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40061-bigip/","summary":"CVE-2026-40061 is a vulnerability in F5 BIG-IP DNS that allows an authenticated attacker with Resource Administrator or Administrator privileges to execute arbitrary system commands with elevated privileges via undisclosed iControl REST and TMOS Shell (tmsh) commands, potentially crossing security boundaries in Appliance mode deployments.","title":"CVE-2026-40061: BIG-IP DNS iControl REST/TMSH Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40061-bigip/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-32643"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IP","BIG-IQ"],"_cs_severities":["high"],"_cs_tags":["cve","command execution","privilege escalation","f5"],"_cs_type":"advisory","_cs_vendors":["F5"],"content_html":"\u003cp\u003eCVE-2026-32643 is a vulnerability affecting F5 BIG-IP and BIG-IQ systems. A highly privileged, authenticated attacker possessing at least the Certificate Manager role can exploit this vulnerability. Successful exploitation allows the attacker to modify configuration objects, which in turn enables the execution of arbitrary commands on the affected system. This vulnerability poses a significant risk, potentially leading to complete system compromise if exploited. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access and obtains valid credentials with at least Certificate Manager role privileges on the BIG-IP or BIG-IQ system.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the BIG-IP or BIG-IQ management interface (GUI or API).\u003c/li\u003e\n\u003cli\u003eAttacker identifies configuration objects that can be modified to inject arbitrary commands. This may involve examining existing configuration settings or leveraging known vulnerable parameters.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the identified configuration object to include malicious commands. This could involve injecting shell commands or scripts into fields that are later executed by the system.\u003c/li\u003e\n\u003cli\u003eAttacker triggers the execution of the modified configuration object. This may involve restarting services, applying configuration changes, or invoking specific functions within the BIG-IP or BIG-IQ system.\u003c/li\u003e\n\u003cli\u003eThe injected commands are executed with the privileges of the BIG-IP or BIG-IQ system, allowing the attacker to perform actions such as installing malware, creating new user accounts, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the command execution to further compromise the system or network, potentially gaining access to sensitive data or other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32643 allows an attacker to execute arbitrary commands on the affected BIG-IP or BIG-IQ system. This can lead to a complete compromise of the system, including the ability to install malware, steal sensitive data, or disrupt critical services. Given the central role of BIG-IP and BIG-IQ systems in network infrastructure, a successful attack could have widespread consequences, impacting numerous organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch or upgrade to a non-vulnerable version of BIG-IP or BIG-IQ as recommended by F5. Refer to F5\u0026rsquo;s advisory \u003ca href=\"https://my.f5.com/manage/s/article/K000160972\"\u003ehttps://my.f5.com/manage/s/article/K000160972\u003c/a\u003e for specific instructions.\u003c/li\u003e\n\u003cli\u003eRestrict access to the BIG-IP and BIG-IQ management interface to only authorized personnel and enforce strong authentication measures.\u003c/li\u003e\n\u003cli\u003eReview existing user roles and permissions to ensure that only necessary privileges are granted. Limit the number of users with the Certificate Manager role.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:20:37Z","date_published":"2026-05-13T16:20:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-32643/","summary":"CVE-2026-32643 describes a vulnerability in F5 BIG-IP and BIG-IQ systems that allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects, leading to arbitrary command execution.","title":"CVE-2026-32643: F5 BIG-IP and BIG-IQ Authenticated Command Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-32643/"}],"language":"en","title":"CraftedSignal Threat Feed — F5","version":"https://jsonfeed.org/version/1.1"}