CVE-2026-42406
F5 · BIG-IP, BIG-IQ
A privilege management vulnerability in F5 BIG-IP and BIG-IQ allows a highly privileged authenticated user with the Certificate Manager role to execute arbitrary commands via configuration modifications.
Executive summary
A critical privilege management vulnerability in F5 BIG-IP and BIG-IQ enables authenticated users with specific administrative roles to execute arbitrary system commands.
Vulnerability
This is a privilege management flaw (CWE-267) where the "Certificate Manager" role is granted unsafe permissions. An authenticated attacker with this role can manipulate configuration objects to achieve command execution.
Business impact
Successful exploitation grants an attacker the ability to execute arbitrary commands on the system, leading to a complete compromise of the F5 appliance. With a CVSS score of 8.7, this risk is severe, as it could result in full administrative control over critical network security infrastructure.
Remediation
Immediate Action: Apply the vendor-supplied security updates immediately, specifically upgrading to versions 21.1.0 or later as specified by F5.
Proactive Monitoring: Audit the activity of users assigned the "Certificate Manager" role and review system configuration logs for unauthorized changes.
Compensating Controls: Restrict access to administrative interfaces to trusted management subnets and enforce the principle of least privilege for all administrative accounts.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Administrators must prioritize patching these F5 systems to mitigate the risk of privilege escalation. Given the potential for full system compromise, verify that all administrative accounts are strictly managed and monitored until the software updates are successfully applied.