https://feed.craftedsignal.io/vendors/f5/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 16:22:07 +0000https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40061-bigip/Wed, 13 May 2026 16:22:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40061-bigip/CVE-2026-40061 is a vulnerability in F5 BIG-IP DNS that allows an authenticated attacker with Resource Administrator or Administrator privileges to execute arbitrary system commands with elevated privileges via undisclosed iControl REST and TMOS Shell (tmsh) commands, potentially crossing security boundaries in Appliance mode deployments.CVE-2026-40061 is a vulnerability affecting F5 BIG-IP DNS when provisioned. This flaw resides within an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command. Successful exploitation requires an authenticated attacker holding either the Resource Administrator or Administrator role. A successful exploit grants the attacker the ability to execute arbitrary system commands with elevated privileges. In Appliance mode deployments, successful exploitation allows the attacker to bypass security restrictions. Note that versions which have reached End of Technical Support (EoTS) are not evaluated.

Attack Chain

1. An authenticated attacker gains access to the BIG-IP DNS system with either Resource Administrator or Administrator credentials.
2. The attacker leverages an undisclosed iControl REST API endpoint or a BIG-IP TMOS Shell (tmsh) command.
3. The attacker injects malicious commands into a parameter or argument of the vulnerable iControl REST API or tmsh command.
4. The injected commands are executed by the BIG-IP system with elevated privileges.
5. The attacker gains unauthorized access to sensitive data or system resources.
6. In Appliance mode deployments, the attacker crosses security boundaries, gaining further access.
7. The attacker establishes persistence through a backdoor or scheduled task.
8. The attacker achieves complete control over the BIG-IP DNS system.

Impact

Successful exploitation of CVE-2026-40061 can lead to a complete compromise of the BIG-IP DNS system. An attacker can gain unauthorized access to sensitive data, modify system configurations, and disrupt network services. In Appliance mode deployments, the attacker can bypass security restrictions, potentially gaining access to other systems within the network. The impact could range from data breaches and service disruptions to complete system takeover.

Recommendation

• Apply the latest security patches released by F5 Networks to address CVE-2026-40061 on BIG-IP DNS.
• Review user roles and permissions to ensure that only authorized personnel have Resource Administrator or Administrator privileges on BIG-IP DNS.
• Monitor BIG-IP DNS logs for suspicious activity related to iControl REST API calls and tmsh commands, using the “Detect BIG-IP DNS iControl REST/TMSH Command Injection” Sigma rule.
• Implement network segmentation to limit the impact of a successful exploit on Appliance mode deployments.

]]>highadvisoryprivilege-escalationexecutioncvehttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-32643/Wed, 13 May 2026 16:20:37 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-32643/CVE-2026-32643 describes a vulnerability in F5 BIG-IP and BIG-IQ systems that allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects, leading to arbitrary command execution.CVE-2026-32643 is a vulnerability affecting F5 BIG-IP and BIG-IQ systems. A highly privileged, authenticated attacker possessing at least the Certificate Manager role can exploit this vulnerability. Successful exploitation allows the attacker to modify configuration objects, which in turn enables the execution of arbitrary commands on the affected system. This vulnerability poses a significant risk, potentially leading to complete system compromise if exploited. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.

Attack Chain

1. Attacker gains initial access and obtains valid credentials with at least Certificate Manager role privileges on the BIG-IP or BIG-IQ system.
2. Attacker authenticates to the BIG-IP or BIG-IQ management interface (GUI or API).
3. Attacker identifies configuration objects that can be modified to inject arbitrary commands. This may involve examining existing configuration settings or leveraging known vulnerable parameters.
4. Attacker modifies the identified configuration object to include malicious commands. This could involve injecting shell commands or scripts into fields that are later executed by the system.
5. Attacker triggers the execution of the modified configuration object. This may involve restarting services, applying configuration changes, or invoking specific functions within the BIG-IP or BIG-IQ system.
6. The injected commands are executed with the privileges of the BIG-IP or BIG-IQ system, allowing the attacker to perform actions such as installing malware, creating new user accounts, or exfiltrating sensitive data.
7. Attacker leverages the command execution to further compromise the system or network, potentially gaining access to sensitive data or other systems.

Impact

Successful exploitation of CVE-2026-32643 allows an attacker to execute arbitrary commands on the affected BIG-IP or BIG-IQ system. This can lead to a complete compromise of the system, including the ability to install malware, steal sensitive data, or disrupt critical services. Given the central role of BIG-IP and BIG-IQ systems in network infrastructure, a successful attack could have widespread consequences, impacting numerous organizations.

Recommendation

• Apply the security patch or upgrade to a non-vulnerable version of BIG-IP or BIG-IQ as recommended by F5. Refer to F5’s advisory https://my.f5.com/manage/s/article/K000160972 for specific instructions.
• Restrict access to the BIG-IP and BIG-IQ management interface to only authorized personnel and enforce strong authentication measures.
• Review existing user roles and permissions to ensure that only necessary privileges are granted. Limit the number of users with the Certificate Manager role.

]]>highadvisorycvecommand executionprivilege escalationf5