CVE-2026-41957 Overview
CVE-2026-41957 is an authenticated remote code execution vulnerability in the F5 BIG-IP and BIG-IQ Configuration utility. The flaw exists through undisclosed vectors and is associated with deserialization of untrusted data [CWE-502]. An attacker with valid credentials and network access to the Configuration utility can execute arbitrary code on the target system. Software versions that have reached End of Technical Support (EoTS) were not evaluated by the vendor.
Critical Impact
Authenticated attackers can achieve remote code execution on BIG-IP and BIG-IQ systems, compromising the confidentiality, integrity, and availability of network infrastructure devices that often sit in privileged positions within enterprise environments.
Affected Products
- F5 BIG-IP Configuration utility
- F5 BIG-IQ Configuration utility
- Software versions still under Technical Support (EoTS versions not evaluated)
Discovery Timeline
- 2026-05-13 - CVE-2026-41957 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-41957
Vulnerability Analysis
The vulnerability resides in the Configuration utility, the web-based management interface used to administer BIG-IP and BIG-IQ appliances. F5 classifies the issue under [CWE-502: Deserialization of Untrusted Data], indicating the utility processes serialized objects without adequate validation. An attacker who supplies crafted serialized input can trigger code execution within the context of the Configuration utility process.
Exploitation requires valid authentication. The attack vector is network-based with low complexity and no user interaction. Successful exploitation yields high impact across confidentiality, integrity, and availability on the vulnerable component.
F5 has not disclosed the specific vectors involved. The advisory withholds technical specifics to reduce the risk of opportunistic exploit development while customers apply remediation.
Root Cause
The root cause is unsafe deserialization within the Configuration utility. When the utility deserializes attacker-controlled input, gadget chains in the underlying runtime can be abused to instantiate arbitrary objects and invoke arbitrary methods. This pattern routinely produces remote code execution in Java, Python, and similar managed runtimes used by network appliance management planes.
Attack Vector
An authenticated user with access to the Configuration utility submits a malicious serialized payload to an affected endpoint. The utility deserializes the payload, triggering gadget chain execution and running attacker-supplied code with the privileges of the management process. Because BIG-IP devices terminate TLS, perform authentication, and steer application traffic, code execution on the management plane can pivot to full data-plane compromise.
No verified public proof-of-concept code is available. The vulnerability is described in prose only; see the F5 Security Advisory K000156761 for vendor details.
Detection Methods for CVE-2026-41957
Indicators of Compromise
- Unexpected child processes spawned by the BIG-IP or BIG-IQ Configuration utility web process, particularly shells, interpreters, or networking tools.
- Outbound network connections from management interfaces to unfamiliar external hosts following Configuration utility activity.
- New or modified files in web application directories, cron entries, or systemd units on the appliance.
- Authenticated Configuration utility sessions originating from atypical source addresses or service accounts.
Detection Strategies
- Inspect Configuration utility access logs for POST requests containing serialized object markers or unusually large request bodies to administrative endpoints.
- Correlate authenticated administrative sessions with subsequent process execution events on the appliance.
- Hunt for deserialization gadget signatures in request bodies captured by upstream proxies or WAF telemetry.
Monitoring Recommendations
- Forward BIG-IP and BIG-IQ audit, restjavad, and httpd logs to a centralized SIEM for long-retention analysis.
- Alert on creation of new local accounts, SSH keys, or iControl REST tokens on managed devices.
- Monitor for configuration changes pushed outside of approved change windows.
How to Mitigate CVE-2026-41957
Immediate Actions Required
- Apply the patched BIG-IP and BIG-IQ versions identified in F5 Security Advisory K000156761 as soon as feasible.
- Restrict access to the Configuration utility to dedicated management networks and trusted administrative jump hosts.
- Rotate credentials and API tokens for all accounts with access to the Configuration utility.
- Audit administrative accounts and remove unused or shared credentials.
Patch Information
F5 has issued fixed software versions for supported BIG-IP and BIG-IQ releases. Versions that have reached End of Technical Support are not evaluated and will not receive a patch; affected customers running EoTS releases must upgrade to a supported branch. Refer to the vendor advisory for the exact fixed version matrix.
Workarounds
- Block Configuration utility access from untrusted networks at the network perimeter and on the device self-IP using port lockdown.
- Limit the Configuration utility to management-only interfaces and disable it on data-plane self-IPs.
- Enforce multi-factor authentication for all administrative accounts to raise the barrier for credential-based exploitation.
- Apply least-privilege role assignments so that fewer accounts hold the permissions required to reach the vulnerable functionality.
# Restrict BIG-IP Configuration utility to management interface only
tmsh modify sys httpd allow replace-all-with { 10.0.0.0/8 }
tmsh modify net self <self-ip> allow-service none
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
