Description
A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iControl REST or the TMOS shell (tmsh) resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in F5 Networks' BIG‑IP and BIG‑IQ systems that permits a highly privileged authenticated attacker with at least a Resource Administrator role to create SNMP configuration objects through the iControl REST API or the TMOS Shell (tmsh). This flaw enables the attacker to elevate privileges beyond the intended limits, effectively granting unauthorized access to privileged operations. The weakness is an example of CWE-77, where improper command validation allows manipulation of system behavior.

Affected Systems

Both the BIG‑IP web application delivery controller and the BIG‑IQ application security management platform are affected. Specific version information was not provided, and software that has reached End of Technical Support is excluded from the evaluation.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.5, qualifying it as high severity, yet it is not currently listed in CISA’s KEV catalog. The EPSS score is not available, and the attack requires an authenticated account with sufficient privileges, meaning that external attackers cannot exploit it without prior compromise. Once the attacker can create SNMP configuration objects, they can raise their own privileges and potentially control network traffic, leading to broader compromise of the managed infrastructure.

Generated by OpenCVE AI on May 13, 2026 at 16:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest F5 BIG‑IP and BIG‑IQ updates that fix the SNMP configuration privilege escalation flaw.
  • Restrict the Resource Administrator role and enforce least privilege policies for users with that role.
  • Limit or disable iControl REST and tmsh access from untrusted networks, allowing API usage only from trusted hosts.

Generated by OpenCVE AI on May 13, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
F5 big-iq
Vendors & Products F5
F5 big-ip
F5 big-iq
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iControl REST or the TMOS shell (tmsh) resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title iControl REST and TMSH vulnerability
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip Big-iq
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-14T03:56:20.934Z

Reserved: 2026-04-30T23:04:10.886Z

Link: CVE-2026-40698

cve-icon Vulnrichment

Updated: 2026-05-13T16:12:00.531Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:43.593

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-40698

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:00:13Z

Weaknesses