CVE-2026-42937 Overview
CVE-2026-42937 affects F5 BIG-IP and BIG-IQ products through incorrect permission assignment in the TMOS Shell (tmsh) arp and ndp commands, and in the BIG-IP iControl REST interface. An authenticated attacker can leverage these flaws to view adjacent network information that should be restricted. The vulnerability is tracked under [CWE-732: Incorrect Permission Assignment for Critical Resource]. F5 notes that software versions which have reached End of Technical Support (EoTS) are not evaluated for this issue.
Critical Impact
Authenticated users with low privileges can access sensitive Address Resolution Protocol (ARP) and Neighbor Discovery Protocol (NDP) data, exposing adjacent network topology and host information useful for lateral movement.
Affected Products
- F5 BIG-IP (TMOS Shell tmsharp and ndp commands)
- F5 BIG-IP (iControl REST interface)
- F5 BIG-IQ (TMOS Shell tmsharp and ndp commands)
Discovery Timeline
- 2026-05-13 - CVE-2026-42937 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42937
Vulnerability Analysis
The vulnerability resides in two distinct administrative interfaces on F5 BIG-IP and BIG-IQ systems. The TMOS Shell (tmsh) arp and ndp commands return Layer 2 neighbor information without enforcing appropriate access boundaries. The BIG-IP iControl REST API exposes the same class of data through programmatic endpoints. Both paths share the same root weakness, which is improper permission assignment on resources containing adjacent network state.
An authenticated attacker with low privileges can query these interfaces to enumerate ARP and NDP tables. The exposed data reveals MAC-to-IP mappings, IPv6 neighbors, and reachability state for systems on networks adjacent to the BIG-IP device. This information supports reconnaissance, network mapping, and targeting of downstream hosts that the load balancer can reach.
Root Cause
The root cause is incorrect permission assignment for critical resources, classified as [CWE-732]. The arp and ndp command handlers, along with the corresponding iControl REST endpoints, did not enforce role-based access controls aligned with the sensitivity of neighbor table data. Accounts that should have been restricted to operational tasks could read information intended for administrators.
Attack Vector
The attack is network-based and requires valid authentication to the BIG-IP or BIG-IQ management plane. An attacker invokes the arp or ndp subcommand inside tmsh or sends an authenticated HTTPS request to the affected iControl REST resource. The response returns neighbor entries that disclose adjacent network composition. No user interaction or privilege escalation step is needed beyond initial authentication.
No public proof-of-concept code is associated with this CVE. Refer to the F5 Security Advisory K000161018 for vendor-supplied technical context and version-specific details.
Detection Methods for CVE-2026-42937
Indicators of Compromise
- Authenticated tmsh sessions invoking arp or ndp subcommands from accounts that do not normally perform network diagnostics.
- iControl REST requests targeting ARP or NDP resource paths originating from low-privilege service accounts or unusual source addresses.
- Repeated enumeration patterns against neighbor table endpoints over short time windows.
Detection Strategies
- Enable audit logging for tmsh command execution and correlate arp/ndp command usage with the invoking user role.
- Monitor iControl REST access logs for read operations against neighbor table endpoints and baseline expected callers.
- Alert on first-time use of these commands by accounts whose role does not include network troubleshooting.
Monitoring Recommendations
- Forward BIG-IP and BIG-IQ audit logs to a centralized logging or SIEM platform for retention and correlation.
- Track API token usage on the iControl REST interface and flag tokens that query neighbor data outside maintenance windows.
- Review user role assignments quarterly to confirm that read access to network diagnostic data follows least privilege.
How to Mitigate CVE-2026-42937
Immediate Actions Required
- Review the F5 Security Advisory K000161018 for the fixed software versions applicable to your deployment.
- Audit all BIG-IP and BIG-IQ user accounts and remove unnecessary low-privilege access to the management plane.
- Rotate API tokens and credentials used for iControl REST automation that may have been exposed.
Patch Information
F5 has documented affected and fixed versions in F5 Security Advisory K000161018. Software versions that have reached End of Technical Support are not evaluated and should be upgraded to a supported, patched release. Apply the vendor-supplied update for both BIG-IP and BIG-IQ as appropriate to the deployment.
Workarounds
- Restrict management plane access to a dedicated administrative network and block management interfaces from general user networks.
- Limit tmsh and iControl REST access to administrator roles only until patches are deployed.
- Enforce multi-factor authentication on all BIG-IP and BIG-IQ accounts to reduce risk from credential compromise.
# Configuration example: restrict iControl REST and tmsh to admin role
# Review current users and roles on BIG-IP
tmsh list auth user
# Modify a user to remove elevated read access where not required
tmsh modify auth user <username> partition-access replace-all-with { all-partitions { role operator } }
# Restrict management access to a trusted subnet
tmsh modify sys httpd allow replace-all-with { 10.0.0.0/24 }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
