CVE-2026-41953: BIG-IP Privilege Escalation Vulnerability

CVE-2026-41953 Overview

CVE-2026-41953 is a privilege escalation vulnerability in F5 BIG-IP systems. An authenticated attacker holding at least the Resource Administrator role can modify configuration objects to elevate privileges beyond their assigned role. The flaw is categorized under [CWE-77] (Improper Neutralization of Special Elements used in a Command). F5 has documented the issue in F5 Knowledge Article K000160975. Software versions that have reached End of Technical Support (EoTS) are not evaluated by the vendor.

Critical Impact

A Resource Administrator can escalate to a higher privilege role on BIG-IP and gain full administrative control of the appliance, exposing confidentiality and integrity of all traffic and configuration.

Affected Products

• F5 BIG-IP (supported software branches per vendor advisory)
• Configurations exposing the Resource Administrator role to non-trusted operators
• BIG-IP management plane (TMUI/iControl REST configuration interfaces)

Discovery Timeline

• 2026-05-13 - CVE-2026-41953 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-41953

Vulnerability Analysis

The vulnerability lets an authenticated user with the Resource Administrator role modify configuration objects in a way that escalates privileges on the BIG-IP system. The Resource Administrator role is intended to manage system resources but is restricted from full administrative control. By manipulating specific configuration objects, the attacker bypasses that boundary and obtains administrator-equivalent capability. F5 classifies the weakness under [CWE-77], indicating that special elements passed into a command context are not properly neutralized, allowing the configuration change to alter command execution behavior.

Successful exploitation yields full control of the device's configuration, including TLS termination settings, traffic policies, and credentials stored on the appliance. Because BIG-IP devices typically sit inline with high-value application traffic, post-exploitation impact extends to the applications and identity flows the device fronts.

Root Cause

The root cause is improper neutralization of input within configuration objects writable by the Resource Administrator role [CWE-77]. The configuration handler accepts attacker-controlled values that are later incorporated into a command context without sufficient sanitization or role-based filtering, breaking the privilege boundary between Resource Administrator and Administrator.

Attack Vector

The attack vector is network-based but requires high privileges. An attacker must first authenticate to the BIG-IP management interface with valid Resource Administrator credentials. The attacker then submits crafted configuration object changes through the management plane to trigger privilege escalation. No user interaction is required. Verified proof-of-concept code is not publicly available at this time.

No verified exploit code is publicly available. Refer to F5 Knowledge Article K000160975
for vendor-supplied technical details and indicators.

Detection Methods for CVE-2026-41953

Indicators of Compromise

• Unexpected modifications to BIG-IP configuration objects performed by accounts with the Resource Administrator role.
• Audit log entries showing role changes, user creation, or permission grants originating from a non-Administrator account.
• iControl REST or TMUI API calls writing to configuration objects outside the account's normal operational scope.

Detection Strategies

• Baseline normal Resource Administrator activity and alert on configuration writes that touch privilege, authentication, or scripting-related objects.
• Correlate BIG-IP audit logs (/var/log/audit, /var/log/restjavad-audit.0.log) with SIEM rules that flag privilege changes shortly after configuration edits.
• Monitor for newly created administrative users or modified partitions following any session authenticated as Resource Administrator.

Monitoring Recommendations

• Forward BIG-IP audit and REST API logs to a centralized log platform with retention sufficient for forensic review.
• Alert on any role assignment change or new account with admin partition access on BIG-IP devices.
• Review management-plane access lists weekly and validate that Resource Administrator accounts are limited to operators who require that scope.

How to Mitigate CVE-2026-41953

Immediate Actions Required

• Apply the fixed software versions identified in F5 Knowledge Article K000160975 as soon as maintenance windows allow.
• Audit all accounts assigned the Resource Administrator role and remove the role from any user that does not strictly require it.
• Rotate credentials for BIG-IP local users and any API tokens used by automation against the management plane.

Patch Information

F5 has published remediation guidance in F5 Knowledge Article K000160975. Customers should consult the article for the list of fixed releases mapped to each supported BIG-IP branch. Versions in End of Technical Support are not evaluated and should be upgraded to a supported, fixed release.

Workarounds

• Restrict the BIG-IP management interface to trusted administrative networks using management-plane self IP port lockdown and upstream firewall rules.
• Limit assignment of the Resource Administrator role to a minimal set of trusted operators and prefer lower-privileged roles where possible.
• Enforce multi-factor authentication on the BIG-IP management interface to reduce the risk of credential-based access to the Resource Administrator role.

# Restrict management access on BIG-IP (example - validate before applying)
tmsh modify sys global-settings mgmt-dhcp disabled
tmsh modify sys sshd inactivity-timeout 600
tmsh modify auth remote-user default-role auditor
# List users currently holding Resource Administrator
tmsh list auth user one-line | grep "resource-admin"