Description
A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in F5 BIG‑IP and BIG‑IQ permits a highly privileged, authenticated attacker holding at least a Certificate Manager role to alter configuration objects that enable the execution of arbitrary commands. The vulnerability is classified as CWE‑250, representing an elevation of privilege that can lead to arbitrary code execution and compromise system integrity and confidentiality.

Affected Systems

The issue affects F5’s BIG‑IP and BIG‑IQ. No explicit version range appears in the advisory. The description states that End‑of‑Technical‑Support releases are not evaluated, implying that all currently supported releases may be vulnerable. Based on the description, it is inferred that all updated and maintained versions of these products are potentially impacted.

Risk and Exploitability

The CVSS score of 8.5 signals high severity. EPSS is not provided and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be authenticated with at least the Certificate Manager role, so it is likely confined to environments where such privileged accounts exist. The likely attack vector is a privileged local or internal access scenario, though no public remote exploit is referenced.

Generated by OpenCVE AI on May 13, 2026 at 18:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade to the latest supported versions of F5 BIG‑IP and BIG‑IQ as documented in the F5 advisory. This removes the privilege‑escalation flaw that permits arbitrary command execution.
  • Re‑evaluate role‑based access control and revoke the Certificate Manager role from users who do not need command‑execution privileges; consider limiting this role to a small set of trusted administrators.
  • Implement temporary hardening by disabling or restricting the configuration objects that allow arbitrary command execution, following guidance in F5 secure‑configuration best‑practice documents until a patch is applied.

Generated by OpenCVE AI on May 13, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
F5 big-iq
Vendors & Products F5
F5 big-ip
F5 big-iq

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP and BIG-IQ privilege escalation vulnerability
Weaknesses CWE-250
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip Big-iq
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-14T03:56:15.259Z

Reserved: 2026-04-30T23:04:20.024Z

Link: CVE-2026-32643

cve-icon Vulnrichment

Updated: 2026-05-13T16:09:26.324Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:39.213

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-32643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:15:16Z

Weaknesses