CVE-2026-40462 Overview
CVE-2026-40462 is an incorrect permission assignment vulnerability affecting F5 iControl REST and the TMOS shell (tmsh). An undisclosed command grants authenticated users access to sensitive information that should be restricted by role-based access controls. The flaw maps to [CWE-732: Incorrect Permission Assignment for Critical Resource].
An authenticated attacker with low privileges can leverage the affected command over the network to disclose sensitive data from the BIG-IP system. F5 has not evaluated software versions that have reached End of Technical Support (EoTS). Refer to the F5 Security Advisory for vendor-specific guidance.
Critical Impact
Authenticated low-privileged users can read sensitive system information through iControl REST or tmsh, bypassing intended role-based access restrictions.
Affected Products
- F5 iControl REST interface
- F5 TMOS shell (tmsh)
- F5 BIG-IP software versions still under Technical Support
Discovery Timeline
- 2026-05-13 - CVE-2026-40462 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40462
Vulnerability Analysis
The vulnerability stems from incorrect permission assignment on an undisclosed command exposed through both the iControl REST API and the tmsh command-line interface. F5 BIG-IP enforces a role-based access control (RBAC) model where users such as Guest, Operator, or Auditor should not have visibility into certain configuration or runtime data.
The affected command does not enforce these role boundaries correctly. As a result, an authenticated user holding lower-privileged credentials can issue the command and retrieve information that should be restricted to administrative roles. The CVSS v4.0 vector indicates high impact to confidentiality only, with no integrity or availability impact.
F5 has not disclosed the specific command to prevent immediate weaponization. The vulnerability does not require user interaction and can be triggered remotely against the management interface.
Root Cause
The root cause is a missing or insufficient authorization check on a privileged command path shared by iControl REST and tmsh. The command executes and returns sensitive data without verifying that the calling user's role grants access to that resource, violating the principle of least privilege.
Attack Vector
Exploitation requires valid credentials on the BIG-IP management plane. The attacker authenticates to either the iControl REST endpoint over HTTPS or the tmsh shell, then invokes the undisclosed command. The system returns sensitive output to the attacker without enforcing the expected role check.
The vulnerability is network-reachable wherever the BIG-IP management interface is exposed. Attack complexity is low and no user interaction is required, though authentication is mandatory.
No public proof-of-concept code is available, and the command itself has not been disclosed by F5. The EPSS score is 0.05%, indicating low probability of exploitation activity in the short term.
Detection Methods for CVE-2026-40462
Indicators of Compromise
- Unexpected iControl REST API calls from non-administrative accounts to undocumented or rarely-used endpoints under /mgmt/tm/
- tmsh command execution by users assigned the Guest, Operator, Auditor, or other restricted roles
- Unusual volume of read-only API requests from a single authenticated session targeting configuration objects
Detection Strategies
- Enable and centralize BIG-IP audit logging (/var/log/audit) and iControl REST request logs to a SIEM for correlation
- Baseline normal tmsh and iControl REST usage per user role, then alert on deviations such as low-privileged accounts invoking administrative-style commands
- Correlate authentication events with command invocations to detect accounts probing for accessible commands
Monitoring Recommendations
- Forward BIG-IP syslog and audit streams to a centralized log platform with retention sufficient for forensic review
- Monitor for new or atypical service accounts authenticating to the management plane
- Restrict management interface exposure to dedicated administrative networks and alert on access from outside those ranges
How to Mitigate CVE-2026-40462
Immediate Actions Required
- Review the F5 Security Advisory K000156581 and identify affected BIG-IP versions in your environment
- Apply the fixed software versions published by F5 as soon as maintenance windows permit
- Audit existing user accounts and remove low-privileged accounts that are no longer required on the management plane
- Rotate credentials for any account suspected of having invoked the affected command path
Patch Information
F5 has published remediation guidance and fixed versions in security advisory K000156581. Versions that have reached End of Technical Support are not evaluated and will not receive a fix; upgrade to a supported release before applying patches. Consult the advisory for the exact fixed version mapping for each BIG-IP branch.
Workarounds
- Restrict access to the BIG-IP management interface and iControl REST endpoint to trusted administrative networks only
- Limit account provisioning so that only required users receive tmsh or iControl REST access, and enforce the principle of least privilege on assigned roles
- Enforce strong authentication, including multi-factor authentication, for all management-plane users
- Enable command auditing and alert on use of administrative commands by non-administrative roles
# Configuration example: restrict iControl REST and tmsh management access
# Limit management access to a specific administrative subnet
tmsh modify sys httpd allow replace-all-with { 10.10.0.0/24 }
tmsh modify sys sshd allow replace-all-with { 10.10.0.0/24 }
# Review user roles and remove unnecessary accounts
tmsh list auth user
tmsh delete auth user <unused-account>
# Save configuration
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
