Description
A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in F5 BIG‑IP allows a highly privileged, authenticated attacker with at least the Resource Administrator role to modify configuration objects, enabling the attacker to elevate privileges beyond what the role originally permits. This flaw can be used to compromise the integrity of the system configuration, potentially exposing or altering network traffic and services. The associated weakness is identified as CWE‑77, indicating untrusted input influencing system commands or configuration execution.

Affected Systems

The affected systems are F5 BIG‑IP appliances that provide application delivery and security services. No specific version range is listed. Software versions which have reached End of Technical Support (EoTS) are not evaluated. Users should verify their deployed BIG‑IP version against F5’s advisory.

Risk and Exploitability

The CVSS score of 8.5 classifies this flaw as high severity. The absence of an EPSS score indicates that no exploitation data is available, and the vulnerability is not included in CISA’s KEV catalog. Exploitation requires authentication and possession of at least a Resource Administrator role, so it is not exploitable from an unauthenticated or unauthorised angle. The likely attack path involves an attacker first obtaining legitimate credentials with Resource Administrator rights, then using the flawed privilege escalation to modify configurations and gain elevated authority.

Generated by OpenCVE AI on May 13, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest BIG‑IP firmware patch that addresses the privilege‑escalation flaw, if available from F5.
  • Limit the assignment of the Resource Administrator role to only essential personnel and regularly review role assignments to enforce least privilege.
  • Implement network segmentation and strict access controls to ensure that even privileged users can only modify objects within authorized scopes.
  • Continuously monitor BIG‑IP configuration changes for unauthorized modifications and use F5’s audit logging features to detect potential abuse.

Generated by OpenCVE AI on May 13, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP Privilege Escalation vulnerability
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-14T03:56:16.422Z

Reserved: 2026-04-30T23:04:10.895Z

Link: CVE-2026-41953

cve-icon Vulnrichment

Updated: 2026-05-13T16:11:33.380Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:45.473

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-41953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:45:25Z

Weaknesses