CVE-2026-40061
F5 · BIG-IP
A command injection vulnerability in F5 BIG-IP allows authenticated administrators to execute arbitrary system commands via iControl REST or the TMOS Shell.
Executive summary
A critical command injection vulnerability exists in F5 BIG-IP that allows an authenticated administrator to execute arbitrary system commands, potentially leading to full system compromise.
Vulnerability
This vulnerability involves improper neutralization of special elements used in a command (CWE-77). It requires an authenticated attacker with Resource Administrator or Administrator privileges to trigger the flaw via iControl REST or the TMOS Shell.
Business impact
Successful exploitation allows an attacker with elevated administrative access to execute arbitrary commands at the system level. Given the CVSS score of 8.7, this represents a high risk to the confidentiality and integrity of the BIG-IP appliance, which often serves as a critical gateway for network traffic and security services.
Remediation
Immediate Action: Upgrade to version 21.1.0 or later, or apply the specific version updates provided by F5 in security advisory K000160788.
Proactive Monitoring: Review TMOS Shell and iControl REST logs for unauthorized or suspicious command sequences executed by administrative accounts.
Compensating Controls: Restrict access to management interfaces to trusted IP addresses and enforce strict role-based access control (RBAC) to minimize the number of users with administrative privileges.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Organizations should prioritize patching F5 BIG-IP appliances immediately. Given the high severity of command injection, ensuring that all affected systems are updated to the vendor-recommended versions is essential to preventing potential unauthorized system-level control.