F5 BIG-IP Scripted Monitors Allow High-Privilege Command Execution (CVE-2026-32673)
A critical vulnerability, tracked as CVE-2026-32673, has been identified in F5 BIG-IP scripted monitors. The National Vulnerability Database reports that this flaw permits an authenticated attacker, holding either the Resource Administrator or Administrator role, to execute arbitrary system commands with elevated privileges. This is a significant escalation of access.
The CVSSv3.1 score of 8.7 (HIGH) underscores the severity. In appliance mode deployments, successful exploitation enables an attacker to cross a security boundary, potentially leading to full system compromise. The root cause is categorized as CWE-250, indicating improper authorization in a privileged program.
While specific affected product versions were not detailed by the National Vulnerability Database, organizations running F5 BIG-IP should assume they are at risk unless proven otherwise. This vulnerability highlights the persistent danger of privilege escalation paths, even within seemingly trusted administrative interfaces.
What This Means For You
- If your organization relies on F5 BIG-IP, you need to assess your exposure to CVE-2026-32673. Review administrative access controls and audit logs for any suspicious activity, especially if you operate in appliance mode. Patching should be your top priority once F5 releases an advisory or fix. This isn't theoretical; it's a direct path to higher privileges.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-32673: F5 BIG-IP Scripted Monitor Command Execution
title: CVE-2026-32673: F5 BIG-IP Scripted Monitor Command Execution
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
Detects the use of 'tmsh' to create or modify CLI scripts, which is a key step in exploiting CVE-2026-32673. This vulnerability allows authenticated users with specific roles to execute arbitrary system commands with higher privileges via scripted monitors in F5 BIG-IP.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-32673/
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
detection:
selection:
Image|contains:
- '/usr/bin/tmsh'
CommandLine|contains:
- 'create cli script'
- 'modify cli script'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-32673 | RCE | F5 BIG-IP scripted monitors |
| CVE-2026-32673 | Privilege Escalation | Authenticated attacker with Resource Administrator or Administrator role |
| CVE-2026-32673 | Auth Bypass | Appliance mode deployments security boundary bypass |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44577 — Next.js is a React framework for building full-stack web
CVE-2026-44577 — Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default...
CVE-2026-44576 — Next.js is a React framework for building full-stack web
CVE-2026-44576 — Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can...
Next.js App Router Flaw Bypasses Middleware Authorization
CVE-2026-44575 — Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on...