CVE-2026-32643 Overview
CVE-2026-32643 affects F5 BIG-IP and BIG-IQ systems. An authenticated attacker holding the Certificate Manager role or higher can modify configuration objects to execute arbitrary commands on the underlying system. The flaw maps to [CWE-250: Execution with Unnecessary Privileges], where a non-administrative role gains the ability to invoke privileged operations.
F5 documents the issue in the F5 Knowledge Base Article. Software versions that have reached End of Technical Support (EoTS) are not evaluated by the vendor.
Critical Impact
An authenticated user with only the Certificate Manager role can break out of the role boundary and run arbitrary commands, undermining the confidentiality and integrity of the BIG-IP or BIG-IQ host.
Affected Products
- F5 BIG-IP (supported branches per vendor advisory K000160972)
- F5 BIG-IQ Centralized Management (supported branches per vendor advisory K000160972)
- End-of-Technical-Support versions are not evaluated and should be treated as vulnerable
Discovery Timeline
- 2026-05-13 - CVE-2026-32643 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-32643
Vulnerability Analysis
The vulnerability resides in how BIG-IP and BIG-IQ enforce role-based access control over configuration objects. The Certificate Manager role is intended to manage cryptographic material such as certificates and keys. The product instead permits this role to modify configuration objects whose contents are passed to command execution routines.
The weakness corresponds to [CWE-250: Execution with Unnecessary Privileges]. Configuration handlers run with system privileges, yet the role checks do not constrain which fields a Certificate Manager may alter. Once the attacker writes attacker-controlled values to those fields, the system processes them with elevated rights and executes the embedded commands.
Exploitation does not require user interaction and uses the network attack vector. It does require valid credentials and the Certificate Manager role, which limits opportunistic exploitation. Compromised administrator workstations, leaked API tokens, or insider abuse are the realistic preconditions.
Root Cause
The root cause is a privilege boundary mismatch. The role model treats Certificate Manager as a limited role, but configuration object handlers do not validate that the modifying principal is permitted to change command-influencing fields. The result is a confused-deputy condition: a low-privileged role triggers a high-privileged execution path.
Attack Vector
An attacker authenticates to the BIG-IP or BIG-IQ management interface, REST API, or tmsh shell using Certificate Manager credentials. The attacker submits a modification to a configuration object that the system later evaluates as a command or parameter to a command. The configuration object is processed by a privileged handler, which executes the attacker-supplied content with system privileges. The F5 advisory K000160972 documents the specific configuration objects and components involved.
Detection Methods for CVE-2026-32643
Indicators of Compromise
- Configuration object modifications submitted by Certificate Manager accounts to fields outside certificate and key management scope
- Unexpected child processes spawned from BIG-IP or BIG-IQ management daemons immediately after configuration changes
- New cron jobs, scripts, or system files created on the BIG-IP or BIG-IQ appliance shortly after a Certificate Manager session
- Outbound connections from the management plane to unfamiliar hosts following a configuration change
Detection Strategies
- Audit restjavad, tmsh, and iControl REST logs for configuration writes performed by Certificate Manager accounts and correlate with subsequent process executions
- Alert on any configuration object change submitted by a non-administrator role that touches command-bearing fields identified in F5 advisory K000160972
- Compare current device configuration against a known-good baseline and flag drift introduced by Certificate Manager accounts
Monitoring Recommendations
- Forward BIG-IP and BIG-IQ audit logs to a centralized SIEM and retain Certificate Manager activity for post-incident review
- Monitor authentication events for Certificate Manager accounts logging in from new IP addresses, off-hours, or via unusual API clients
- Track shell command execution on appliances and treat any execution originating from the configuration handler chain as high priority
How to Mitigate CVE-2026-32643
Immediate Actions Required
- Apply the fixed versions listed in the F5 Knowledge Base Article to all supported BIG-IP and BIG-IQ instances
- Inventory all accounts assigned the Certificate Manager role and remove the role from accounts that do not strictly require it
- Rotate credentials and API tokens for any Certificate Manager account that cannot be immediately validated as uncompromised
- Upgrade or decommission any BIG-IP or BIG-IQ instance running an End-of-Technical-Support version
Patch Information
F5 provides fixed software versions and full remediation guidance in advisory K000160972. Administrators should consult the advisory for branch-specific fixed releases and apply the upgrade that matches their deployed branch. EoTS versions do not receive fixes and must be upgraded to a supported branch.
Workarounds
- Restrict access to the BIG-IP and BIG-IQ management plane to a dedicated administrative network and block external exposure
- Require multi-factor authentication for all administrative and Certificate Manager logins to the management interface
- Limit Certificate Manager role assignments to a small number of vetted operators and review assignments on a recurring schedule
- Enable and review configuration audit logging so that any abuse by a Certificate Manager account is captured for investigation
# Configuration example: list users and their assigned roles on BIG-IP
# Review output and remove the Certificate Manager role from accounts that do not need it
tmsh list auth user all-properties
# Remove the role from a specific user (replace USERNAME)
tmsh modify auth user USERNAME partition-access replace-all-with { all-partitions { role no-access } }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
