CVE-2026-39459 F5 CVE debrief

Who should care

Organizations using F5 BIG-IP products, especially those with highly privileged users, should prioritize patching. The vulnerability's high severity and potential for code execution make it critical. Security teams should review affected versions and implement compensating controls if immediate patching is not feasible.

Technical summary

The vulnerability exists in iControl REST and TMOS Shell (tmsh), allowing highly privileged authenticated attackers to create configuration objects that enable arbitrary command execution. This affects multiple F5 BIG-IP products, including BIG-IP Access Policy Manager, Advanced Firewall Manager, Advanced Web Application Firewall, and others. The CVSS:4.0 vector is AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Patching is the top priority. If immediate patching is not possible, implement compensating controls such as restricting access to iControl REST and tmsh for highly privileged users, monitoring for suspicious activity, and enhancing logging and auditing.

Recommended defensive actions

• Apply patches or updates provided by F5 for affected BIG-IP products.
• Restrict access to iControl REST and TMOS Shell (tmsh) for highly privileged users.
• Monitor for suspicious activity and enhance logging and auditing.
• Implement network segmentation to limit lateral movement.
• Review and update incident response plans to address potential exploitation.

Evidence notes

The CVE record and NVD detail provide comprehensive information on the vulnerability, including its description, CVSS score, and affected products. F5 has provided mitigation guidance through their support article K000160863.

Official resources