Description
A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.     Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A configuration weakness allows an authenticated privileged attacker with at least the Certificate Manager role to edit objects that enable execution of arbitrary commands. The flaw effectively permits the attacker to run commands with the authority of the affected system, potentially leading to full control of the environment. The vulnerability is classified as a privilege escalation error (CWE‑267).

Affected Systems

The affected vendors are F5; the products are BIG‑IP and BIG‑IQ. No specific version information is provided, and versions that have reached End of Technical Support are not evaluated.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Exploitation requires the attacker to be an authenticated user with the Certificate Manager role, so the primary attack vector is internal. The high CVSS, combined with the need for privileged access, still represents a significant risk to affected organizations.

Generated by OpenCVE AI on May 13, 2026 at 17:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest F5 patch for BIG‑IP and BIG‑IQ systems to eliminate the privilege escalation flaw.
  • Revoke or limit the Certificate Manager role to only those users who truly require it, enforcing the principle of least privilege.
  • Audit and modify configuration objects that allow arbitrary command execution, removing or hardening any that are unnecessary.

Generated by OpenCVE AI on May 13, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
F5 big-iq
Vendors & Products F5
F5 big-ip
F5 big-iq

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.     Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP and BIG-IQ privilege escalation vulnerability
Weaknesses CWE-267
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip Big-iq
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-14T03:56:11.791Z

Reserved: 2026-04-30T23:04:20.038Z

Link: CVE-2026-42406

cve-icon Vulnrichment

Updated: 2026-05-13T16:08:55.749Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:47.517

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-42406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses