F5 BIG-IP / BIG-IQ iControl REST Manager-role authenticated RCE — lead bug of the May 2026 Quarterly Security Notification (43 CVEs)

F5 published its May 2026 Quarterly Security Notification on 2026-05-14. SecurityWeek's article describes the scope as "over 19 high-severity and 32 medium-severity vulnerabilities impacting BIG-IP, BIG-IQ, and NGINX" — summing to 51-plus across the F5 product family; NCSC-NL's CSAF restatement (NCSC-2026-0162) lists 43 CVEs in the BIG-IP / BIG-IQ scope (NGINX bugs counted separately). The affected components span iControl REST, iControl SOAP, the TMOS Shell, Traffic Management Microkernel (TMM), the Configuration utility, Advanced WAF, ASM, PEM, DNS, APM, and SSL Orchestrator (F5 K000160932, 2026-05-14; SecurityWeek, 2026-05-14; NCSC-NL NCSC-2026-0162, 2026-05-15). The lead issue is CVE-2026-41225 — F5 / SecurityWeek score it CVSS 4.0 base 8.6 HIGH; NVD and NCSC-NL also publish a CVSS 3.1 base score of 9.1 CRITICAL for the same CVE (the v3.1/v4.0 scale difference, not a vendor disagreement on severity). CWE-648 Incorrect Use of Privileged APIs (per NVD); NVD verbatim: "A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands" — an authenticated RCE via the iControl REST /mgmt/tm/ API, exploitable by any principal holding the Manager RBAC role. The CVSS-8.7 secondary cluster covers iControl REST command injection (CVE-2026-42930, CVE-2026-42924, CVE-2026-42406, CVE-2026-41953), SSH-password leakage in audit log / API response bodies (CVE-2026-40698), and privilege escalation via misconfigured permissions (CVE-2026-40631, CVE-2026-40061, CVE-2026-34176). The exploitation prerequisite is authenticated Manager-role network access to the BIG-IP management port or self-IP addresses — once present, the attacker can also bypass Appliance mode restrictions designed as a hardening boundary. No exploitation in the wild reported as of advisory publication. Why it matters to us: the operationally significant chain is initial-access-by-credential-theft → iControl-REST-object-creation → shell command execution under the BIG-IP control plane. SOCs should monitor iControl REST audit logs for POST/PATCH requests creating unexpected configuration objects from Manager-role principals; alert on TMSH commands spawning shell subprocesses outside change-windows; restrict iControl REST reachability to jump hosts on management-only VLANs; rotate every Manager-role credential as the May 2026 quarterly is rolled out; disable iControl SOAP entirely where unused. Separately, the previously-covered CVE-2026-42945 NGINX heap overflow is rolled into F5's quarterly scope but is not re-reported here.