CVE-2026-40698

F5 · BIG-IP and BIG-IQ

An OS command injection vulnerability in F5 BIG-IP and BIG-IQ allows a highly privileged authenticated attacker to escalate privileges via SNMP configuration.

Executive summary

An OS command injection vulnerability in F5 BIG-IP and BIG-IQ enables high-privileged users to achieve further unauthorized privilege escalation.

Vulnerability

This is an OS command injection flaw (CWE-77) that can be triggered by an authenticated attacker with a "Resource Administrator" role or higher, allowing them to manipulate SNMP configurations via iControl REST or the TMOS shell.

Business impact

While this requires high-level authentication, a successful exploit grants the attacker elevated control over the network infrastructure, which can be leveraged to compromise entire segments. The CVSS score of 8.7 reflects the high impact on system integrity and the potential for full administrative takeover of the networking appliance.

Remediation

Immediate Action: Update to the patched versions provided by F5 (e.g., 21.1.0 and later for BIG-IP) as documented in the vendor advisory.

Proactive Monitoring: Audit all SNMP configuration changes and review logs for suspicious activity within iControl REST and the TMOS shell.

Compensating Controls: Limit access to administrative interfaces and REST APIs to trusted IP addresses and strictly enforce the principle of least privilege for all administrative accounts.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

System administrators should immediately review their F5 deployment versions and apply the necessary patches. Given the potential for total system compromise, ensure that administrative access is tightly controlled and that all configuration changes are monitored by security personnel.