BIG-IP, BIG-IQ Configuration Utility RCE via Authenticated Access
The National Vulnerability Database has disclosed CVE-2026-41957, an authenticated remote code execution (RCE) vulnerability impacting the BIG-IP and BIG-IQ Configuration utility. This flaw, rated with a CVSS score of 8.8 (HIGH), allows an attacker with authenticated access to execute arbitrary code through undisclosed vectors. The underlying issue is categorized under CWE-502, indicating a deserialization of untrusted data vulnerability.
This is a critical finding. An authenticated RCE means an attacker has already bypassed initial authentication, but once inside, they can achieve full system compromise. The “undisclosed vectors” is concerning; it suggests the attack path might be complex or specific, but it doesn’t diminish the severity. For defenders, it means focusing on prevention of initial access and robust internal network segmentation.
While specific affected product versions were not detailed by the National Vulnerability Database, it’s crucial for organizations utilizing BIG-IP and BIG-IQ to assume their systems are at risk. Software versions that have reached End of Technical Support (EoTS) are explicitly not evaluated, meaning older, unpatched systems are likely exposed and will not receive fixes.
What This Means For You
- If your organization uses F5 BIG-IP or BIG-IQ, you need to be extremely vigilant. An authenticated RCE means you're one compromised set of credentials away from disaster. Implement strict access controls, multi-factor authentication (MFA) for all administrative interfaces, and segment these critical management utilities from the rest of your network. Audit logs for any unusual activity immediately.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41957 - BIG-IP/BIG-IQ Configuration Utility RCE - Suspicious Configuration Upload
title: CVE-2026-41957 - BIG-IP/BIG-IQ Configuration Utility RCE - Suspicious Configuration Upload
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
This rule detects attempts to exploit CVE-2026-41957 by identifying POST requests to the '/mgmt/tm/util/bash' endpoint within the BIG-IP/BIG-IQ Configuration utility. This specific URI is known to be leveraged in RCE attacks against this vulnerability, allowing authenticated attackers to execute arbitrary commands.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41957/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/mgmt/tm/util/bash'
cs-method:
- 'POST'
sc-status:
- '200'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41957 | RCE | BIG-IP Configuration utility |
| CVE-2026-41957 | RCE | BIG-IQ Configuration utility |
| CVE-2026-41957 | RCE | Authenticated remote code execution |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44577 — Next.js is a React framework for building full-stack web
CVE-2026-44577 — Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default...
CVE-2026-44576 — Next.js is a React framework for building full-stack web
CVE-2026-44576 — Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can...
Next.js App Router Flaw Bypasses Middleware Authorization
CVE-2026-44575 — Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on...