CVE-2026-40061 Overview
CVE-2026-40061 is a command injection vulnerability [CWE-77] in F5 BIG-IP when the DNS module is provisioned. An undisclosed iControl REST endpoint and BIG-IP TMOS Shell (tmsh) command fail to properly sanitize input, allowing authenticated attackers with the Resource Administrator or Administrator role to execute arbitrary system commands at elevated privileges. In Appliance mode deployments, successful exploitation crosses a security boundary that is otherwise intended to restrict administrative shell access. Software versions that have reached End of Technical Support (EoTS) were not evaluated by F5.
Critical Impact
Authenticated administrators can escalate privileges and execute arbitrary system commands on BIG-IP devices with DNS provisioned, bypassing Appliance mode restrictions.
Affected Products
- F5 BIG-IP with the DNS module provisioned
- F5 BIG-IP TMOS Shell (tmsh)
- F5 BIG-IP iControl REST interface
Discovery Timeline
- 2026-05-13 - CVE-2026-40061 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40061
Vulnerability Analysis
The flaw resides in an undisclosed tmsh command and a corresponding iControl REST endpoint that becomes reachable when BIG-IP DNS is provisioned. The command path passes attacker-influenced input to the underlying operating system without adequate neutralization of shell metacharacters, mapping to [CWE-77] Improper Neutralization of Special Elements used in a Command. An authenticated attacker holding the Resource Administrator or Administrator role can inject additional commands that execute with privileges higher than the role normally permits. In Appliance mode, where direct shell access is intentionally restricted to preserve a hardened security boundary, this primitive enables the attacker to break out of the restricted management context and run arbitrary commands as a higher-privilege system identity.
Root Cause
The root cause is unsafe construction of an operating system command from user-controllable parameters supplied through tmsh or the iControl REST API. Input that should be treated as data is concatenated into a command string and dispatched to a shell, allowing metacharacter-driven command chaining.
Attack Vector
Exploitation requires network access to the management interface and valid credentials for an account with Resource Administrator or Administrator privileges. The attacker sends a crafted iControl REST request or invokes the affected tmsh command with payload-bearing arguments. The injected commands execute outside the constraints of the user's assigned role and, in Appliance mode, outside the intended security boundary. No public proof-of-concept is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploit code is publicly available. Refer to the F5 Security Advisory K000160788 for vendor technical details.
Detection Methods for CVE-2026-40061
Indicators of Compromise
- Unexpected tmsh command invocations containing shell metacharacters such as ;, |, &, backticks, or $()
- iControl REST requests to DNS-related endpoints originating from unusual source addresses or service accounts
- New or modified files in system directories following administrative API activity
- Audit log entries showing privileged command execution that does not correlate with documented change tickets
Detection Strategies
- Enable verbose iControl REST audit logging and forward /var/log/audit and /var/log/restjavad*.log to a central log platform for correlation.
- Baseline normal tmsh usage per administrator and alert on commands containing shell injection patterns or atypical argument structures.
- Restrict management interface exposure and monitor for authentication from accounts holding Resource Administrator or Administrator roles outside business hours.
Monitoring Recommendations
- Alert on iControl REST POST/PUT calls to DNS module endpoints that include encoded shell metacharacters in JSON bodies or query parameters.
- Monitor child processes spawned by restjavad, tmsh, and related management daemons for shells (/bin/sh, /bin/bash) or interpreters that are not part of expected workflows.
- Track creation of cron entries, SSH keys, or setuid binaries on BIG-IP appliances after administrative sessions.
How to Mitigate CVE-2026-40061
Immediate Actions Required
- Apply the fixed software versions published in F5 Security Advisory K000160788 as soon as a maintenance window permits.
- Audit accounts assigned the Resource Administrator and Administrator roles, removing or downgrading any that do not require that level of access.
- Rotate credentials and API tokens for any administrative account that may have been exposed.
- Restrict management plane access to a dedicated out-of-band network and a small set of jump hosts.
Patch Information
F5 has published patched versions in security advisory K000160788. Versions that have reached End of Technical Support were not evaluated and should be upgraded to a supported, patched release. Consult the advisory for the version matrix that applies to your branch and platform.
Workarounds
- If immediate patching is not possible, limit the number of users assigned Resource Administrator or Administrator roles to the minimum operationally required.
- Block iControl REST access from any network segment that does not require it using management interface access control lists.
- For deployments where BIG-IP DNS is not required, consider de-provisioning the DNS module until the patch can be applied.
- Require multi-factor authentication and source IP allow-listing for all administrative access to the BIG-IP management interface.
# Configuration example: restrict management access by source
tmsh modify sys httpd allow replace-all-with { 10.0.0.0/24 192.168.50.10/32 }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
