Arbitrary Command Execution Vulnerability in BIG-IP DNS by F5
CVE-2026-40061

8.5HIGH

Key Information:

Vendor: F5
Status: Big-ip
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-40061?

A significant vulnerability in BIG-IP DNS can allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary commands with elevated privileges. This vulnerability arises from undisclosed commands within the iControl REST and BIG-IP TMOS Shell (tmsh). When the system is in Appliance mode, an attacker could exploit this flaw to breach security boundaries, potentially compromising sensitive aspects of the network. It is crucial for users to update to a patched version, as those that have reached End of Technical Support (EoTS) have not been evaluated for this vulnerability.

Affected Version(s)

BIG-IP 21.0.0 < 21.0.0.1

BIG-IP 17.5.0 < 17.5.1.4

BIG-IP 17.1.0 < 17.1.3.1

References

https://my.f5.com/manage/s/article/K000160788

vendor-advisorypatch

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

CVE-2026-40061 Data

JSON