CVE-2026-42408 Overview
CVE-2026-42408 is an information disclosure vulnerability affecting F5 BIG-IP systems when the DNS module is provisioned. An undisclosed TMOS Shell (tmsh) command exposes sensitive information to highly privileged authenticated attackers with local access. The flaw is categorized under CWE-312: Cleartext Storage of Sensitive Information. F5 has not evaluated software versions that have reached End of Technical Support (EoTS).
Critical Impact
A highly privileged authenticated user can leverage an undisclosed tmsh command to view sensitive information on BIG-IP DNS deployments, undermining confidentiality controls on production load-balancing and DNS infrastructure.
Affected Products
- F5 BIG-IP with the DNS module provisioned
- TMOS Shell (tmsh) command interface
- Versions still under F5 Technical Support — EoTS releases were not evaluated
Discovery Timeline
- 2026-05-13 - CVE-2026-42408 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42408
Vulnerability Analysis
The vulnerability resides in an undisclosed tmsh command available when BIG-IP DNS is provisioned. TMOS Shell is the administrative command-line interface on F5 BIG-IP appliances used to configure modules, view runtime state, and manage system resources. When invoked, the affected command returns sensitive information that should remain protected from administrative inspection.
The weakness aligns with [CWE-312], which covers cleartext storage or exposure of sensitive information. Attackers need high privileges and local access, so the issue is not exploitable from the network or by unauthenticated users. However, on appliances where role separation matters — for example, between operators and security administrators — the disclosure can break confidentiality boundaries.
F5 has intentionally withheld the specific command name and the exact data exposed. Defenders should treat any BIG-IP DNS instance with shell-capable accounts as in scope until patched.
Root Cause
The root cause is improper protection of sensitive data surfaced by a tmsh administrative command. The command returns secrets or configuration material in cleartext rather than redacting, hashing, or gating the output behind a stricter authorization check.
Attack Vector
Exploitation requires an authenticated session with high privileges on the BIG-IP appliance and local access to the tmsh interface. An attacker who has already obtained an administrative shell — through credential theft, insider access, or chained compromise — runs the affected command and reads the returned sensitive output. No user interaction is required, and the attack does not cross a security scope boundary on its own. See the F5 Security Article K000157981 for vendor-provided technical detail.
Detection Methods for CVE-2026-42408
Indicators of Compromise
- Unexpected interactive tmsh sessions from administrative accounts outside change windows.
- Audit log entries showing execution of uncommon or undocumented tmsh subcommands on BIG-IP DNS systems.
- Administrative account logins from unusual source IPs, jump hosts, or service accounts that normally do not access TMOS Shell.
Detection Strategies
- Enable and forward BIG-IP audit logging (/var/log/audit) to a centralized SIEM and alert on tmsh command execution by privileged users.
- Baseline normal administrative command usage per operator and flag deviations, especially commands tied to the DNS module.
- Correlate tmsh activity with authentication events to identify use of shared, dormant, or recently elevated accounts.
Monitoring Recommendations
- Continuously monitor F5 BIG-IP audit and secure logs for privileged command execution and session creation.
- Review role assignments (admin, resource-admin) on BIG-IP DNS appliances and alert when new high-privilege roles are granted.
- Track configuration export and shell-based read operations against expected operational runbooks.
How to Mitigate CVE-2026-42408
Immediate Actions Required
- Review the F5 Security Article K000157981 and identify any BIG-IP DNS systems running affected, supported versions.
- Apply the F5-provided fixed release as soon as it is available for your branch.
- Reduce the number of accounts with the Administrator or equivalent role on BIG-IP DNS appliances.
- Rotate credentials, API tokens, and shared secrets that could have been exposed through tmsh on any system suspected of misuse.
Patch Information
F5 has published remediation guidance in F5 Security Article K000157981. Apply the fixed BIG-IP version for your branch as listed in the advisory. Software versions that have reached End of Technical Support (EoTS) were not evaluated and should be upgraded to a supported release before patching.
Workarounds
- Restrict administrative access to BIG-IP DNS to a dedicated management network and bastion hosts only.
- Enforce multi-factor authentication for all accounts that can reach tmsh.
- Apply least privilege by replacing broad administrator roles with scoped roles where operational duties allow.
- Increase audit log retention and forward logs off-box so command activity remains available for forensic review.
# Configuration example: restrict tmsh access and audit privileged commands on BIG-IP
# Limit management access to an allowlisted subnet
tmsh modify sys httpd allow replace-all-with { 10.0.0.0/24 }
tmsh modify sys sshd allow replace-all-with { 10.0.0.0/24 }
# Ensure audit logging captures all tmsh commands
tmsh modify cli admin-partitions update-partition Common
tmsh modify sys db config.auditing value enable
tmsh modify sys db tmsh.audit value enable
# Save configuration
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
