Cyber Resilience

CVE-2026-42406

HighUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
23 June 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 4.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42406 is a high-severity Privilege Defined With Unsafe Actions (CWE-267) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support…

more

(EoTS) are not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Authenticated attacker with config modification rights can directly execute arbitrary commands via unsafe privilege actions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41225Same product: F5 Big-Ip Access Policy Manager
CVE-2026-41957Same product: F5 Big-Ip Access Policy Manager
CVE-2025-20029Same product: F5 Big-Ip Access Policy Manager
CVE-2025-21087Same product: F5 Big-Ip Access Policy Manager
CVE-2025-20045Same product: F5 Big-Ip Access Policy Manager
CVE-2026-41217Same product: F5 Big-Ip Access Policy Manager
CVE-2025-20058Same product: F5 Big-Ip Access Policy Manager
CVE-2025-24320Same product: F5 Big-Ip Access Policy Manager
CVE-2026-41218Same product: F5 Big-Ip Access Policy Manager
CVE-2026-41953Same product: F5 Big-Ip Access Policy Manager

Affected Assets

f5
big-ip access policy manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip advanced firewall manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip advanced web application firewall
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip analytics
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip application acceleration manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip application security manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip application visibility and reporting
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip automation toolchain
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip carrier-grade nat
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip container ingress services
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
+12 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References