CVE-2026-40698
F5 · BIG-IP and BIG-IQ
An OS command injection vulnerability in F5 BIG-IP and BIG-IQ allows a highly privileged authenticated attacker to escalate privileges via SNMP configuration.
Executive summary
An OS command injection vulnerability in F5 BIG-IP and BIG-IQ enables high-privileged users to achieve further unauthorized privilege escalation.
Vulnerability
This is an OS command injection flaw (CWE-77) that can be triggered by an authenticated attacker with a "Resource Administrator" role or higher, allowing them to manipulate SNMP configurations via iControl REST or the TMOS shell.
Business impact
While this requires high-level authentication, a successful exploit grants the attacker elevated control over the network infrastructure, which can be leveraged to compromise entire segments. The CVSS score of 8.7 reflects the high impact on system integrity and the potential for full administrative takeover of the networking appliance.
Remediation
Immediate Action: Update to the patched versions provided by F5 (e.g., 21.1.0 and later for BIG-IP) as documented in the vendor advisory.
Proactive Monitoring: Audit all SNMP configuration changes and review logs for suspicious activity within iControl REST and the TMOS shell.
Compensating Controls: Limit access to administrative interfaces and REST APIs to trusted IP addresses and strictly enforce the principle of least privilege for all administrative accounts.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
System administrators should immediately review their F5 deployment versions and apply the necessary patches. Given the potential for total system compromise, ensure that administrative access is tightly controlled and that all configuration changes are monitored by security personnel.