Description
An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated attacker who holds the Resource Administrator or Administrator role on F5 BIG‑IP can use iControl SOAP to modify configuration objects, thereby elevating privileges and gaining full control over the system. The flaw arises from insufficient enforcement of permission checks on SOAP endpoints, allowing configuration changes that would normally be restricted.

Affected Systems

All actively supported F5 BIG‑IP devices are vulnerable, as the issue applies to any version that has not reached End of Technical Support. No specific version ranges were listed, so all releases within the supported lifecycle should be considered at risk.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, and although the EPSS score is not available, the lack of a KEV listing does not diminish the potential impact. The vulnerability requires an authenticated user, so an attacker must first compromise legitimate credentials or gain access through another vector that allows role assignment. Once authenticated, the attacker can change critical configuration settings, potentially compromising network security and availability.

Generated by OpenCVE AI on May 13, 2026 at 16:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch or firmware update issued by F5 that addresses the iControl SOAP permission issue.
  • Restrict administrator accounts to the minimum required networks and enforce least‑privilege access controls on the Resource Administrator and Administrator roles.
  • Disable iControl SOAP access from untrusted networks or limit it to designated management interfaces.
  • Enable detailed audit logging for configuration changes and set up alerts for unauthorized modifications.

Generated by OpenCVE AI on May 13, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP iControl SOAP vulnerability
Weaknesses CWE-552
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-14T03:56:18.645Z

Reserved: 2026-04-30T23:04:10.890Z

Link: CVE-2026-40631

cve-icon Vulnrichment

Updated: 2026-05-13T16:11:47.236Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:43.417

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-40631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:30:06Z

Weaknesses