CVE-2026-40698: Privilege Escalation in F5 BIG-IP
Platform
linux
Component
bigip
Fixed in
21.0.0.2
CVE-2026-40698 describes a privilege escalation vulnerability in F5 BIG-IP and BIG-IQ systems. A highly privileged, authenticated attacker, possessing at least the Resource Administrator role, can leverage this flaw to create malicious SNMP configuration objects. This can lead to unauthorized access and control of the system, potentially compromising sensitive data and system integrity. Affected versions include those between 16.1.0 and 21.0.0.2, with a fix available in version 21.0.0.2.
Impact and Attack Scenarios
The impact of CVE-2026-40698 is significant due to the potential for privilege escalation. An attacker who can successfully exploit this vulnerability can gain control over the BIG-IP or BIG-IQ system, effectively bypassing existing security controls. This could allow them to modify configurations, access sensitive data (such as user credentials, network traffic logs, and application data), and potentially pivot to other systems within the network. The ability to create SNMP configuration objects provides a flexible attack vector, allowing attackers to tailor their actions to achieve specific objectives. Successful exploitation could lead to a complete compromise of the affected system and its associated data, similar to scenarios where attackers leverage misconfigured administrative interfaces to gain control.
Exploitation Context
CVE-2026-40698 was published on May 13, 2026. The vulnerability's exploitation probability is currently assessed as medium due to the requirement for authenticated access with a specific role. No public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) catalogs. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation activity.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-40698 is to upgrade to F5 BIG-IP or BIG-IQ version 21.0.0.2 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restricting access to iControl REST and the TMOS shell (tmsh) to only authorized personnel can reduce the attack surface. Review and audit existing SNMP configurations to identify and remove any suspicious or unauthorized objects. Implement strict role-based access controls to limit the number of users with the Resource Administrator role. Monitor iControl REST and tmsh activity for any unusual or unauthorized configuration changes. After upgrading, verify the fix by attempting to create an SNMP configuration object with a non-administrative user account; the attempt should be rejected.
How to fix
Actualice a una versión corregida de BIG-IP o BIG-IQ. F5 ha lanzado parches para abordar esta vulnerabilidad. Consulte la documentación de F5 para obtener instrucciones detalladas sobre cómo aplicar las actualizaciones y mitigar el riesgo.
Frequently asked questions
What is CVE-2026-40698 — Privilege Escalation in F5 BIG-IP?
CVE-2026-40698 is a HIGH severity vulnerability affecting F5 BIG-IP and BIG-IQ systems. It allows an authenticated attacker with the Resource Administrator role to escalate privileges by creating malicious SNMP configurations.
Am I affected by CVE-2026-40698 in F5 BIG-IP?
You are affected if you are running F5 BIG-IP or BIG-IQ versions between 16.1.0 and 21.0.0.2. Check your version and upgrade as soon as possible.
How do I fix CVE-2026-40698 in F5 BIG-IP?
Upgrade to F5 BIG-IP or BIG-IQ version 21.0.0.2 or later. Implement temporary workarounds like restricting access to iControl REST and tmsh if an immediate upgrade is not possible.
Is CVE-2026-40698 being actively exploited?
Currently, there are no reports of active exploitation or public exploits for CVE-2026-40698, but continuous monitoring is recommended.
Where can I find the official F5 advisory for CVE-2026-40698?
Refer to the official F5 security advisory for CVE-2026-40698 on the F5 website (https://www.f5.com/security/center/alerts/all/57486).
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...