CVE-2026-40698 Overview
CVE-2026-40698 is a privilege escalation vulnerability in F5 BIG-IP and BIG-IQ systems. An authenticated attacker with at least the Resource Administrator role can create Simple Network Management Protocol (SNMP) configuration objects through iControl REST or the TMOS shell (tmsh). The flaw, classified as [CWE-77] Improper Neutralization of Special Elements used in a Command, allows the attacker to escalate privileges on the affected device. Software versions that have reached End of Technical Support (EoTS) are not evaluated by the vendor.
Critical Impact
A Resource Administrator can bypass role boundaries and gain higher-privileged execution on BIG-IP and BIG-IQ systems through crafted SNMP configuration objects.
Affected Products
- F5 BIG-IP
- F5 BIG-IQ
- Configuration interfaces: iControl REST and TMOS shell (tmsh)
Discovery Timeline
- 2026-05-13 - CVE-2026-40698 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40698
Vulnerability Analysis
The vulnerability resides in how BIG-IP and BIG-IQ process SNMP configuration objects submitted through iControl REST or tmsh. The system fails to neutralize special elements within these configuration objects before they are passed to a command context. This corresponds to [CWE-77], a command injection class weakness. An attacker holding the Resource Administrator role can craft SNMP objects that lead to execution under a higher privilege context than the role normally permits. The result is a vertical privilege escalation on the appliance management plane.
Root Cause
The root cause is improper neutralization of special elements within SNMP configuration object inputs. The configuration pipeline accepted by both iControl REST and tmsh does not adequately sanitize values that are later consumed by a command interpreter. Because the Resource Administrator role is permitted to create SNMP objects, the role boundary becomes the only barrier between configuration and command execution.
Attack Vector
Exploitation requires network access to the management interface and valid credentials for an account with the Resource Administrator role or higher. The attacker authenticates to iControl REST or opens a tmsh session and submits a crafted SNMP configuration object. The injected content is interpreted as a command, producing privileged actions outside the attacker's assigned role. No user interaction is required once authentication is complete.
Verified exploit code is not publicly available. See the F5 Security Article K000160981 for vendor technical details.
Detection Methods for CVE-2026-40698
Indicators of Compromise
- Creation or modification of SNMP configuration objects by Resource Administrator accounts that do not typically perform SNMP changes.
- iControl REST API calls to SNMP-related endpoints containing shell metacharacters such as backticks, semicolons, pipes, or $().
- tmsh session history showing SNMP object creation with unexpected string values or command-like substrings.
- New or unexpected processes spawned by the management daemons following SNMP configuration changes.
Detection Strategies
- Audit restjavad and tmsh logs for SNMP object create operations and correlate with the submitting user role.
- Alert on iControl REST requests to /mgmt/tm/sys/snmp paths that contain shell metacharacters in JSON payload fields.
- Baseline normal SNMP configuration activity per administrator and flag deviations involving privilege-sensitive fields.
Monitoring Recommendations
- Forward BIG-IP and BIG-IQ audit logs to a centralized SIEM for correlation against authentication events.
- Monitor changes to the Resource Administrator role membership and review credential usage on the management plane.
- Track outbound activity from BIG-IP and BIG-IQ management interfaces for signs of post-exploitation command execution.
How to Mitigate CVE-2026-40698
Immediate Actions Required
- Review and reduce the number of accounts assigned the Resource Administrator role on BIG-IP and BIG-IQ systems.
- Restrict network access to the management interface, iControl REST, and tmsh to trusted administrative networks only.
- Rotate credentials for any account with the Resource Administrator role or higher and enforce multi-factor authentication where supported.
- Audit existing SNMP configuration objects for unexpected or suspicious values.
Patch Information
Apply the fixed versions referenced in F5 Security Article K000160981. Versions that have reached End of Technical Support are not covered by the advisory and should be upgraded to a supported release. Confirm the patch level on every BIG-IP and BIG-IQ instance, including high-availability peers, before considering remediation complete.
Workarounds
- Limit Resource Administrator role assignments to a minimal set of trusted operators.
- Isolate the management plane on a dedicated out-of-band network with strict access control lists.
- Disable or restrict iControl REST access where it is not operationally required.
- Enable detailed audit logging for SNMP configuration changes and review logs on a regular cadence.
# Configuration example: restrict management access and review SNMP object changes
# Replace 10.0.0.0/24 with your administrative network
tmsh modify sys httpd allow replace-all-with { 10.0.0.0/24 }
tmsh list auth user | grep -B1 "role resource-admin"
tmsh show sys snmp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
