Description
A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.

 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A privilege escalation flaw exists in F5 BIG‑IP iControl REST and the TMOS Shell (tmsh). An attacker who is already authenticated and holds at least a Manager role can add configuration objects that grant them the ability to execute arbitrary commands on the device. This enables full compromise of the system, allowing the attacker to modify settings, exfiltrate data, or extend persistence. The weakness is an improper restriction of functions, as identified by CWE‑272.

Affected Systems

The vulnerability affects F5 BIG‑IP systems. Specific version information is not provided in the advisory; however, any F5 BIG‑IP installation that has not applied the official patch should be considered at risk. Review the vendor advisory to determine if your particular deployment is impacted.

Risk and Exploitability

With a CVSS score of 8.6 the vulnerability is classified as high severity. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector requires authenticated access via the iControl REST API or tmsh console, so the attacker must already possess Manager‑level credentials or have compromised an account with those privileges. Once privileged, the attacker can create malicious configuration objects that will be invoked with system privileges, resulting in arbitrary command execution and full control of the device.

Generated by OpenCVE AI on May 13, 2026 at 17:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest F5 BIG‑IP firmware patch that addresses the iControl REST and tmsh privilege escalation flaw (see the vendor advisory).
  • Enforce the principle of least privilege by restricting Manager‑role access to trusted administrators and removing unnecessary Manager or higher‑privilege accounts.
  • Continuously monitor audit logs for creation of new configuration objects and review any tmsh command executions; consider automated alerts for anomalous configuration changes.

Generated by OpenCVE AI on May 13, 2026 at 17:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title iControl REST and tmsh vulnerability
Weaknesses CWE-272
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-14T03:56:25.338Z

Reserved: 2026-04-30T23:04:10.899Z

Link: CVE-2026-39459

cve-icon Vulnrichment

Updated: 2026-05-13T16:11:18.732Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:41.380

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-39459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses