F5 BIG-IP, BIG-IQ Privilege Escalation: CVE-2026-40698

/HIGH /CVSS 8.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-77
F5 BIG-IP, BIG-IQ Privilege Escalation: CVE-2026-40698

The National Vulnerability Database (NVD) has detailed CVE-2026-40698, a high-severity privilege escalation vulnerability impacting F5 BIG-IP and BIG-IQ systems. This flaw, rated 8.7 CVSS, allows a highly privileged, authenticated attacker with at least the Resource Administrator role to craft SNMP configuration objects via iControl REST or the TMOS shell (tmsh). This manipulation ultimately leads to elevated privileges within the system.

This isn’t a zero-day for the casual attacker, but it’s a critical issue for internal security. An attacker who has already breached perimeter defenses and gained a foothold as a Resource Administrator can leverage this to escalate their access. The attacker’s calculus here is straightforward: move laterally, gain higher privileges, and expand control over critical network infrastructure. This vulnerability directly enables that.

For defenders, the immediate concern is internal segmentation and monitoring. While F5 has not specified affected versions beyond noting that End of Technical Support (EoTS) versions are not evaluated, assume broad applicability across active versions. Focus on robust authentication controls for privileged accounts and stringent monitoring of iControl REST and tmsh activity, particularly for SNMP configuration changes. This is a clear reminder that ‘highly privileged’ access is still a target for further escalation.

What This Means For You

  • If your organization uses F5 BIG-IP or BIG-IQ, you need to understand the implications of CVE-2026-40698. This is about an attacker already inside, leveraging existing high-level access to gain even more control. Review your access controls for Resource Administrators, implement strict change management for SNMP configurations, and ensure your SIEM is alerting on suspicious iControl REST and tmsh commands. Don't wait for a patch if you can mitigate the attack surface now.

Related ATT&CK Techniques

T1078.002 Abuse Elevated Privileges Privilege Escalation T1548.003 Abuse Elevated Privileges: Sudo and Sudo Caching Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1548.003 Privilege Escalation

CVE-2026-40698 - F5 BIG-IP/BIG-IQ Privilege Escalation via SNMP Configuration

Sigma YAML — free preview 
title: CVE-2026-40698 - F5 BIG-IP/BIG-IQ Privilege Escalation via SNMP Configuration
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects the creation of SNMP configuration objects via iControl REST on F5 BIG-IP and BIG-IQ systems. This specific URI and method are indicative of the privilege escalation vulnerability described in CVE-2026-40698, where a highly privileged attacker can exploit this to gain further elevated privileges.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40698/
tags:
  - attack.privilege_escalation
  - attack.t1548.003
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/mgmt/tm/sys/snmp'
      cs-method:
          - 'POST'
      sc-status:
          - '200'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40698 Privilege Escalation BIG-IP systems
CVE-2026-40698 Privilege Escalation BIG-IQ systems
CVE-2026-40698 Privilege Escalation SNMP configuration objects creation via iControl REST
CVE-2026-40698 Privilege Escalation SNMP configuration objects creation via TMOS shell (tmsh)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44577 — Next.js is a React framework for building full-stack web

CVE-2026-44577 — Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default...

vulnerabilityCVEmedium-severitycwe-770
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-44576 — Next.js is a React framework for building full-stack web

CVE-2026-44576 — Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can...

vulnerabilityCVEmedium-severitycwe-436
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 2 IOCs /⚙ 3 Sigma

Next.js App Router Flaw Bypasses Middleware Authorization

CVE-2026-44575 — Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on...

vulnerabilityCVEhigh-severitycwe-288
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma