Which versions of F5 BIG-IP are affected by CVE-2026-39459?

F5 BIG-IP contains a privilege escalation vulnerability in iControl REST API and TMOS Shell that allows authenticated administrators with Manager role or higher to execute arbitrary commands and…. A patch is available.

F5 BIG-IP CVE-2026-39459

Q: What is the CVSS score of CVE-2026-39459?

CVE-2026-39459 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-29968 HIGH

Least Privilege Violation (CWE-272)

2026-05-13 f5

GHSA-pwjh-hfqc-xgc7

Information Disclosure

8.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

May 13, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

May 13, 2026 - 16:22 NVD

7.2 (HIGH) 8.6 (HIGH)

Analysis Generated

May 13, 2026 - 15:49 vuln.today

CVE Published

May 13, 2026 - 14:12 nvd

HIGH 7.2

DescriptionNVD

A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Authenticated attackers with Manager role or higher in F5 BIG-IP can execute arbitrary commands via malicious configuration objects in iControl REST API and TMOS Shell (tmsh). This privilege escalation vulnerability allows administrators to break out of their intended access boundaries and achieve full system control. …

RemediationAI

Within 24 hours: Identify all F5 BIG-IP instances in your environment and document current firmware versions. Within 7 days: Apply the latest vendor-released patch to all affected BIG-IP systems; contact F5 support or consult security advisories for specific patched versions corresponding to your current firmware branch. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39459 vulnerability details – vuln.today

Back

F5 BIG-IP CVE-2026-39459

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

F5 BIG-IP CVE-2026-39459

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code