📄 Description (English)
A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🤖 AI Executive Summary
CVE-2026-32673 is a high-severity privilege escalation vulnerability in F5 BIG-IP scripted monitors affecting authenticated administrators. An attacker with Resource Administrator or Administrator role can execute arbitrary system commands with elevated privileges, potentially crossing security boundaries in appliance mode deployments. With a CVSS score of 8.7 and no patch currently available, this poses significant risk to organizations relying on BIG-IP for load balancing and application delivery.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 19, 2026 21:41
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations heavily dependent on F5 BIG-IP infrastructure face significant risk, particularly: Banking sector (SAMA-regulated institutions using BIG-IP for transaction processing and API gateways), Government agencies (NCA oversight entities), Telecom operators (STC, Mobily, Zain using BIG-IP for network load balancing), Energy sector (ARAMCO and downstream operations), and Healthcare providers. The privilege escalation capability enables lateral movement and potential compromise of critical backend systems. In appliance mode deployments common in Saudi data centers, attackers could bypass security boundaries and access sensitive financial or operational data.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Telecommunications
Energy and Oil & Gas
Healthcare
Data Centers and Cloud Service Providers
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all F5 BIG-IP deployments and document current software versions
2. Restrict administrative access: Limit Resource Administrator and Administrator role assignments to essential personnel only
3. Implement network segmentation: Isolate BIG-IP management interfaces from untrusted networks
4. Enable detailed audit logging for all administrative activities on BIG-IP systems
5. Monitor for suspicious scripted monitor activity and privilege escalation attempts
Compensating Controls (until patch available):
6. Implement multi-factor authentication (MFA) for all BIG-IP administrative accounts
7. Use privileged access management (PAM) solutions to control and audit administrative sessions
8. Deploy behavioral analytics to detect anomalous command execution patterns
9. Restrict scripted monitor functionality to essential use cases only; disable unused monitors
10. Implement command whitelisting on BIG-IP systems where possible
Detection Rules:
- Monitor for execution of system commands within scripted monitor contexts
- Alert on privilege escalation attempts from Resource Administrator to root/system level
- Track modifications to monitor scripts and configurations
- Log all administrative role changes and access grants
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع نشرات F5 BIG-IP وتوثيق إصدارات البرامج الحالية
2. تقييد الوصول الإداري: حد من تعيينات دور مسؤول الموارد والمسؤول للموظفين الأساسيين فقط
3. تنفيذ تقسيم الشبكة: عزل واجهات إدارة BIG-IP عن الشبكات غير الموثوقة
4. تفعيل تسجيل التدقيق المفصل لجميع الأنشطة الإدارية على أنظمة BIG-IP
5. مراقبة نشاط المراقب النصي المريب ومحاولات تصعيد الامتيازات
الضوابط التعويضية (حتى توفر التصحيح):
6. تنفيذ المصادقة متعددة العوامل (MFA) لجميع حسابات إدارة BIG-IP
7. استخدام حلول إدارة الوصول المميز (PAM) للتحكم في جلسات إدارية والتدقيق فيها
8. نشر تحليلات السلوك للكشف عن أنماط تنفيذ الأوامر الشاذة
9. تقييد وظيفة المراقب النصي للحالات الاستخدام الأساسية فقط؛ تعطيل المراقبات غير المستخدمة
10. تنفيذ القائمة البيضاء للأوامر على أنظمة BIG-IP حيث أمكن
قواعد الكشف:
- مراقبة تنفيذ أوامر النظام ضمن سياقات المراقب النصي
- تنبيه محاولات تصعيد الامتيازات من مسؤول الموارد إلى مستوى الجذر/النظام
- تتبع التعديلات على نصوص المراقب والتكوينات
- تسجيل جميع تغييرات الأدوار الإدارية ومنح الوصول
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 - 5.1.1: Access Control and Authentication
ECC 2024 - 5.2.1: Privileged Access Management
ECC 2024 - 5.3.1: Audit and Accountability
ECC 2024 - 6.1.1: System Hardening and Configuration Management
🔵 SAMA CSF
SAMA CSF - Governance: Risk Management and Compliance
SAMA CSF - Protect: Access Control and Authentication
SAMA CSF - Detect: Monitoring and Logging
SAMA CSF - Respond: Incident Response Procedures
🟡 ISO 27001:2022
ISO 27001:2022 - A.5.2: User Access Management
ISO 27001:2022 - A.5.3: Access Rights
ISO 27001:2022 - A.8.2: Privileged Access Rights
ISO 27001:2022 - A.8.3: Information Security in Supplier Relationships
ISO 27001:2022 - A.12.4: Logging
🟣 PCI DSS v4.0.1
PCI DSS 3.2.1: Strong Cryptography for Authentication
PCI DSS 7.1: Limit Access to System Components
PCI DSS 8.2: Ensure User Identity is Properly Managed
PCI DSS 10.2: Implement Automated Audit Trails
🔗 References & Sources 1