CVE-2026-40631

F5 · BIG-IP

An authenticated Resource Administrator or Administrator can modify configuration objects via iControl SOAP, leading to privilege escalation in F5 BIG-IP.

Executive summary

An authenticated privilege escalation vulnerability in F5 BIG-IP allows administrative users to modify system configurations, posing a significant risk to infrastructure integrity.

Vulnerability

This is a CWE-552 vulnerability where configuration objects are improperly accessible. The attack requires the user to have already obtained Resource Administrator or Administrator privileges, meaning this is an escalation of privilege from an already high-privileged account.

Business impact

The ability for an administrator to modify arbitrary configuration objects could lead to complete system compromise, unauthorized traffic redirection, or the disabling of security controls. With a CVSS score of 8.7, this vulnerability represents a high-severity risk to business continuity and data confidentiality, as it bypasses intended access control limitations within the administrative interface.

Remediation

Immediate Action: Update F5 BIG-IP installations to version 21.1.0 or later, as provided in the vendor's security advisory.

Proactive Monitoring: Review iControl SOAP access logs for unusual configuration change patterns or administrative actions performed by service accounts.

Compensating Controls: Restrict access to the iControl SOAP interface to trusted management IP addresses and enforce strict multi-factor authentication (MFA) for all administrative accounts.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the severity of the potential impact, organizations should prioritize patching F5 BIG-IP systems during the next maintenance window. Administrators must ensure that only authorized personnel have high-level access to the iControl SOAP interface to prevent exploitation of this privilege escalation flaw.