CVE-2026-40631

HIGH EPSS 16.0%

Published May 13, 20261mo ago · Modified Jun 29, 2026today

8.5 CVSS 4.0

High

Published May 13, 2026 1mo ago

Last Modified Jun 29, 2026 today

Description

An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Details

Base Score

8.5

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

16.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-552

Affected Products 84

Vendor	Product	Version	Range
f5	big-ip_access_policy_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_access_policy_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_advanced_firewall_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_advanced_firewall_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_advanced_web_application_firewall	*	≥17.1.0 – ≤17.1.3
f5	big-ip_advanced_web_application_firewall	*	≥17.5.0 – ≤17.5.1
f5	big-ip_analytics	*	≥17.1.0 – ≤17.1.3
f5	big-ip_analytics	*	≥17.5.0 – ≤17.5.1
f5	big-ip_application_acceleration_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_application_acceleration_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_application_security_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_application_security_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_application_visibility_and_reporting	*	≥17.1.0 – ≤17.1.3
f5	big-ip_application_visibility_and_reporting	*	≥17.5.0 – ≤17.5.1
f5	big-ip_automation_toolchain	*	≥17.1.0 – ≤17.1.3
f5	big-ip_automation_toolchain	*	≥17.5.0 – ≤17.5.1
f5	big-ip_carrier-grade_nat	*	≥17.1.0 – ≤17.1.3
f5	big-ip_carrier-grade_nat	*	≥17.5.0 – ≤17.5.1
f5	big-ip_container_ingress_services	*	≥17.1.0 – ≤17.1.3
f5	big-ip_container_ingress_services	*	≥17.5.0 – ≤17.5.1
f5	big-ip_ddos_hybrid_defender	*	≥17.1.0 – ≤17.1.3
f5	big-ip_ddos_hybrid_defender	*	≥17.5.0 – ≤17.5.1
f5	big-ip_domain_name_system	*	≥17.1.0 – ≤17.1.3
f5	big-ip_domain_name_system	*	≥17.5.0 – ≤17.5.1
f5	big-ip_edge_gateway	*	≥17.1.0 – ≤17.1.3
f5	big-ip_edge_gateway	*	≥17.5.0 – ≤17.5.1
f5	big-ip_fraud_protection_service	*	≥17.1.0 – ≤17.1.3
f5	big-ip_fraud_protection_service	*	≥17.5.0 – ≤17.5.1
f5	big-ip_global_traffic_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_global_traffic_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_link_controller	*	≥17.1.0 – ≤17.1.3
f5	big-ip_link_controller	*	≥17.5.0 – ≤17.5.1
f5	big-ip_local_traffic_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_local_traffic_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_policy_enforcement_manager	*	≥17.1.0 – ≤17.1.3
f5	big-ip_policy_enforcement_manager	*	≥17.5.0 – ≤17.5.1
f5	big-ip_ssl_orchestrator	*	≥17.1.0 – ≤17.1.3
f5	big-ip_ssl_orchestrator	*	≥17.5.0 – ≤17.5.1
f5	big-ip_webaccelerator	*	≥17.1.0 – ≤17.1.3
f5	big-ip_webaccelerator	*	≥17.5.0 – ≤17.5.1
f5	big-ip_websafe	*	≥17.1.0 – ≤17.1.3
f5	big-ip_websafe	*	≥17.5.0 – ≤17.5.1
f5	big-ip_access_policy_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_advanced_firewall_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_advanced_web_application_firewall	*	≥16.1.0 – ≤16.1.6
f5	big-ip_analytics	*	≥16.1.0 – ≤16.1.6
f5	big-ip_application_acceleration_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_application_security_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_application_visibility_and_reporting	*	≥16.1.0 – ≤16.1.6
f5	big-ip_automation_toolchain	*	≥16.1.0 – ≤16.1.6
f5	big-ip_carrier-grade_nat	*	≥16.1.0 – ≤16.1.6
f5	big-ip_container_ingress_services	*	≥16.1.0 – ≤16.1.6
f5	big-ip_ddos_hybrid_defender	*	≥16.1.0 – ≤16.1.6
f5	big-ip_domain_name_system	*	≥16.1.0 – ≤16.1.6
f5	big-ip_edge_gateway	*	≥16.1.0 – ≤16.1.6
f5	big-ip_fraud_protection_service	*	≥16.1.0 – ≤16.1.6
f5	big-ip_global_traffic_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_link_controller	*	≥16.1.0 – ≤16.1.6
f5	big-ip_local_traffic_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_policy_enforcement_manager	*	≥16.1.0 – ≤16.1.6
f5	big-ip_ssl_orchestrator	*	≥16.1.0 – ≤16.1.6
f5	big-ip_webaccelerator	*	≥16.1.0 – ≤16.1.6
f5	big-ip_websafe	*	≥16.1.0 – ≤16.1.6
f5	big-ip_access_policy_manager	21.0.0	any
f5	big-ip_advanced_firewall_manager	21.0.0	any
f5	big-ip_advanced_web_application_firewall	21.0.0	any
f5	big-ip_analytics	21.0.0	any
f5	big-ip_application_acceleration_manager	21.0.0	any
f5	big-ip_application_security_manager	21.0.0	any
f5	big-ip_application_visibility_and_reporting	21.0.0	any
f5	big-ip_automation_toolchain	21.0.0	any
f5	big-ip_carrier-grade_nat	21.0.0	any
f5	big-ip_container_ingress_services	21.0.0	any
f5	big-ip_ddos_hybrid_defender	21.0.0	any
f5	big-ip_domain_name_system	21.0.0	any
f5	big-ip_edge_gateway	21.0.0	any
f5	big-ip_fraud_protection_service	21.0.0	any
f5	big-ip_global_traffic_manager	21.0.0	any
f5	big-ip_link_controller	21.0.0	any
f5	big-ip_local_traffic_manager	21.0.0	any
f5	big-ip_policy_enforcement_manager	21.0.0	any
f5	big-ip_ssl_orchestrator	21.0.0	any
f5	big-ip_webaccelerator	21.0.0	any
f5	big-ip_websafe	21.0.0	any

References 1

my.f5.com https://my.f5.com/manage/s/article/K000160979

MitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.