Cyber Resilience

CVE-2026-40061

HighRCEUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40061 is a high-severity Command Injection (CWE-77) vulnerability in F5 Big-Ip Domain Name System. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges.…

more

In Appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CWE-77 command injection in tmsh/iControl REST directly enables Unix shell command execution (T1059.004) and exploitation for privilege escalation (T1068) by an authenticated high-privileged user.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22472Shared CWE-77
CVE-2025-33181Shared CWE-77
CVE-2025-33180Shared CWE-77
CVE-2026-8632Shared CWE-77
CVE-2025-22473Shared CWE-77
CVE-2026-36741Shared CWE-77
CVE-2026-3517Shared CWE-77
CVE-2026-30898Shared CWE-77
CVE-2025-26331Shared CWE-77
CVE-2024-53412Shared CWE-77

Affected Assets

f5
big-ip domain name system
21.0.0 · 16.1.0 — 16.1.6 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References