Arbitrary Command Execution in F5 BIG-IP and BIG-IQ Systems
CVE-2026-42406

8.5HIGH

Key Information:

Vendor: F5
Status: Big-ip; Big-iq
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42406?

A security vulnerability in F5 BIG-IP and BIG-IQ systems allows attackers with the Certificate Manager role to modify configuration objects. This enables them to execute arbitrary commands, posing a significant risk to the integrity of the affected systems. Important to note, versions that have reached End of Technical Support (EoTS) are not included in the evaluation of this vulnerability.

Affected Version(s)

BIG-IP 21.0.0 < 21.0.0.2

BIG-IP 17.5.0 < 17.5.1.6

BIG-IP 17.1.0 < 17.1.3.2

References

https://my.f5.com/manage/s/article/K000160971

vendor-advisorypatch

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

CVE-2026-42406 Data

JSON