F5 BIG-IP/BIG-IQ CVE-2026-32643: High-Privilege RCE

/HIGH /CVSS 8.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-250
F5 BIG-IP/BIG-IQ CVE-2026-32643: High-Privilege RCE

The National Vulnerability Database has detailed CVE-2026-32643, a high-severity vulnerability affecting F5 BIG-IP and BIG-IQ systems. This flaw allows a highly privileged, authenticated attacker holding at least the Certificate Manager role to modify specific configuration objects. The critical impact is the ability to execute arbitrary commands on the underlying system.

This isn’t a zero-day for unauthenticated attackers, but it’s a critical path for an insider threat or an attacker who has already achieved initial access and privilege escalation within the network. Gaining a Certificate Manager role on a BIG-IP or BIG-IQ system typically means an attacker has already bypassed significant controls. With this vulnerability, they can pivot from a high-privilege but constrained role to full system compromise.

The CVSSv3.1 score of 8.7 (HIGH) reflects the significant impact on confidentiality and integrity, with no availability impact. The attack vector is Network, with low attack complexity, requiring high privileges and no user interaction. This highlights the danger of lateral movement once an attacker is inside and has secured privileged credentials.

What This Means For You

  • If your organization uses F5 BIG-IP or BIG-IQ, you need to understand the implications of CVE-2026-32643. This vulnerability enables a high-privilege insider or post-compromise attacker to achieve arbitrary code execution. Review and enforce strict role-based access controls for your F5 systems, especially for roles like Certificate Manager. Ensure logging is robust for configuration changes and command execution attempts. Patching is paramount, but also consider the blast radius if an attacker gains high-level access to these critical network devices.

Related ATT&CK Techniques

T1219 Remote Access Software Persistence T1547.004 Registry Run Keys / Startup Folder Persistence T1078.002 Domain Accounts Persistence

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

medium T1219 Command and Control

Unauthorized Remote Access Tool Detection

Sigma YAML — free preview 
title: Unauthorized Remote Access Tool Detection
id: scw-2026-05-13-1
status: experimental
level: medium
description: |
  Detects execution of remote access tools commonly abused by threat actors for persistent access.
author: SCW Feed Engine (auto-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-32643/
tags:
  - attack.command_and_control
  - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
  selection:
      Image|endswith:
        - '\AnyDesk.exe'
        - '\TeamViewer.exe'
        - '\ScreenConnect.exe'
        - '\RemoteUtilities.exe'
        - '\RustDesk.exe'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-32643

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-32643 RCE BIG-IP systems
CVE-2026-32643 RCE BIG-IQ systems
CVE-2026-32643 Privilege Escalation Authenticated attacker with Certificate Manager role can modify configuration objects to run arbitrary commands.

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44577 — Next.js is a React framework for building full-stack web

CVE-2026-44577 — Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default...

vulnerabilityCVEmedium-severitycwe-770
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-44576 — Next.js is a React framework for building full-stack web

CVE-2026-44576 — Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can...

vulnerabilityCVEmedium-severitycwe-436
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 2 IOCs /⚙ 3 Sigma

Next.js App Router Flaw Bypasses Middleware Authorization

CVE-2026-44575 — Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on...

vulnerabilityCVEhigh-severitycwe-288
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma