CVE-2026-39459 Overview
CVE-2026-39459 affects F5 BIG-IP iControl REST and the TMOS Shell (tmsh). An authenticated attacker with at least the Manager role can create configuration objects that execute arbitrary commands on the underlying system. The flaw is tracked under CWE-272: Least Privilege Violation and carries a CVSS v4.0 score of 8.6. F5 has published guidance in F5 Knowledge Base Article K000160863. Software versions that have reached End of Technical Support (EoTS) are not evaluated under this advisory.
Critical Impact
A Manager-role account can break out of the administrative boundary and execute arbitrary commands on the BIG-IP host, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- F5 BIG-IP iControl REST interface
- F5 BIG-IP TMOS Shell (tmsh)
- F5 BIG-IP configurations where users hold the Manager role or higher
Discovery Timeline
- 2026-05-13 - CVE-2026-39459 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-39459
Vulnerability Analysis
The vulnerability resides in two administrative interfaces on F5 BIG-IP systems: the iControl REST API and the tmsh command-line shell. Both interfaces allow authenticated users with the Manager role to define configuration objects. Certain object types accept parameters that the system passes to shell command execution paths without enforcing role-appropriate restrictions. As a result, a Manager-role user gains the ability to execute arbitrary operating system commands. This violates the least privilege boundary because the Manager role is intended to administer BIG-IP configuration, not to obtain shell access on the underlying host.
The issue is classified as CWE-272: Least Privilege Violation. Successful exploitation yields high impact to confidentiality, integrity, and availability on the targeted appliance.
Root Cause
The root cause is missing privilege separation between the BIG-IP administrative role model and the privileged operations exposed through configuration objects. Configuration constructs that ultimately invoke commands at a higher privilege level do not validate whether the requesting role should be permitted to influence shell execution. A Manager-role account therefore inherits effective command execution capability reserved for higher-trust contexts.
Attack Vector
The attack vector is network-based and requires high privileges plus successful authentication, with no user interaction. An attacker first obtains valid Manager-level credentials, typically through phishing, credential reuse, or compromise of an administrative workstation. The attacker then authenticates to iControl REST or tmsh and submits crafted configuration objects whose fields are interpreted as commands during processing. Refer to F5 Knowledge Base Article K000160863 for vendor-specific exploitation conditions and affected object types.
Detection Methods for CVE-2026-39459
Indicators of Compromise
- Unexpected configuration object creation or modification by Manager-role accounts in iControl REST audit logs
- tmsh command history showing creation of configuration objects containing shell metacharacters or interpreter invocations
- New or modified system files, cron entries, or scheduled tasks on BIG-IP appliances following administrative activity
- Outbound network connections from BIG-IP management interfaces to unfamiliar destinations
Detection Strategies
- Correlate iControl REST POST and PATCH requests against /mgmt/tm/ endpoints with the authenticated user role and source IP.
- Alert on configuration object payloads containing shell operators such as backticks, $( ), ;, |, or &&.
- Baseline normal Manager-role behavior and flag deviations involving object types that touch script, monitor, or external program fields.
Monitoring Recommendations
- Forward restjavad, audit, and tmsh logs from BIG-IP to a central SIEM for correlation and retention.
- Monitor authentication events for Manager-role accounts and require multi-factor authentication for administrative access.
- Continuously review accounts that hold the Manager role or higher and remove unnecessary assignments.
How to Mitigate CVE-2026-39459
Immediate Actions Required
- Apply the fixed software versions identified in F5 Knowledge Base Article K000160863.
- Audit and reduce the number of accounts assigned the Manager role or higher on every BIG-IP instance.
- Rotate credentials for all administrative accounts and enforce multi-factor authentication on management interfaces.
- Restrict network access to iControl REST and tmsh to a dedicated, hardened management network.
Patch Information
F5 has published remediation guidance in F5 Knowledge Base Article K000160863. Customers should consult the article to identify fixed versions for their installed branch. Versions that have reached End of Technical Support are not evaluated and should be upgraded to a supported, patched release.
Workarounds
- Limit Manager-role assignments to a minimum set of trusted administrators until patches are deployed.
- Block iControl REST and tmsh access from untrusted networks using firewall rules or self-IP port lockdown.
- Require jump-host access and session recording for all BIG-IP administrative sessions.
- Enable detailed audit logging and forward events to a SIEM to detect abuse of configuration object creation.
# Example: restrict management access to a dedicated subnet on BIG-IP
tmsh modify sys httpd allow replace-all-with { 10.10.0.0/24 }
tmsh modify sys sshd allow replace-all-with { 10.10.0.0/24 }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
