F5 BIG-IP DNS Vulnerability Allows Privilege Escalation
The National Vulnerability Database has disclosed CVE-2026-40061, a high-severity vulnerability affecting F5 BIG-IP DNS when provisioned. This flaw exists within an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command, allowing an authenticated attacker with Resource Administrator or Administrator roles to execute arbitrary system commands with higher privileges.
This isn’t just a simple privilege escalation; in Appliance mode deployments, a successful exploit can allow attackers to cross a significant security boundary. The CVSSv3.1 score is 8.7 (HIGH), underscoring the critical impact, particularly the complete compromise of confidentiality and integrity (C:H/I:H) once exploited, despite requiring high privileges (PR:H).
Attackers are always looking for ways to move laterally and elevate privileges once inside. This vulnerability provides exactly that: a clear path to deeper system compromise for an already authenticated attacker. It’s a critical chink in the armor for environments where BIG-IP DNS is a core component, especially given the broad access it grants.
What This Means For You
- If your organization uses F5 BIG-IP DNS, you need to identify all provisioned instances immediately. While the vulnerability requires existing authenticated access, it significantly escalates the risk from an insider threat or compromised administrator account. Prioritize patching once F5 releases a fix, and ensure your logging and monitoring can detect unusual command execution on BIG-IP devices.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40061 - F5 BIG-IP DNS Privilege Escalation via iControl REST/tmsh
title: CVE-2026-40061 - F5 BIG-IP DNS Privilege Escalation via iControl REST/tmsh
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
Detects the execution of the 'tmsh sys command' which is a known vector for privilege escalation in F5 BIG-IP DNS environments, as described in CVE-2026-40061. This rule specifically targets the command injection vulnerability within tmsh that allows authenticated users with specific roles to execute arbitrary system commands with elevated privileges.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-40061/
tags:
- attack.privilege_escalation
- attack.t1078.002
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- '/usr/bin/tmsh'
CommandLine|contains:
- 'sys command'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40061 | Privilege Escalation | BIG-IP DNS |
| CVE-2026-40061 | Command Injection | iControl REST command |
| CVE-2026-40061 | Command Injection | BIG-IP TMOS Shell (tmsh) command |
| CVE-2026-40061 | Auth Bypass | Appliance mode deployments security boundary |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44577 — Next.js is a React framework for building full-stack web
CVE-2026-44577 — Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default...
CVE-2026-44576 — Next.js is a React framework for building full-stack web
CVE-2026-44576 — Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can...
Next.js App Router Flaw Bypasses Middleware Authorization
CVE-2026-44575 — Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on...