CVE-2026-40631: F5 iControl SOAP Privilege Escalation

CVE-2026-40631 describes a privilege escalation vulnerability affecting F5 Networks products. An attacker who has already gained authenticated access with either Resource Administrator or Administrator privileges can exploit this vulnerability. The flaw resides in the iControl SOAP interface, which allows for the modification of configuration objects. By leveraging this vulnerability, an attacker can escalate their privileges within the system. This vulnerability is particularly relevant for organizations using F5 products for load balancing, security, or application delivery, as it could allow a compromised administrator account to gain full control over the affected system. Software versions that have reached End of Technical Support (EoTS) are not evaluated.

Attack Chain

1. An attacker gains initial authenticated access to an F5 device with either Resource Administrator or Administrator privileges. This could be achieved through credential theft, phishing, or other means.
2. The attacker identifies the iControl SOAP interface as a means to modify configuration objects.
3. The attacker crafts a malicious SOAP request targeting a specific configuration object.
4. The malicious SOAP request is sent to the iControl SOAP endpoint.
5. The F5 device processes the SOAP request, and due to the vulnerability, allows the modification of the targeted configuration object.
6. The attacker modifies a configuration object to grant themselves higher privileges, such as creating a new administrative user or modifying existing user roles.
7. The attacker uses the escalated privileges to perform unauthorized actions, such as accessing sensitive data, modifying security policies, or disrupting network services.

Impact

Successful exploitation of CVE-2026-40631 allows an attacker to escalate privileges within the F5 system. This could lead to a complete compromise of the affected device, allowing the attacker to access sensitive data, modify security policies, and disrupt network services. This vulnerability has a high CVSS score of 8.7, highlighting the potential for significant damage. The number of victims and sectors targeted will depend on the prevalence of vulnerable F5 devices within different organizations.

Recommendation

• Apply the necessary patches or mitigations provided by F5 Networks to address CVE-2026-40631. Refer to the F5 Networks advisory (https://my.f5.com/manage/s/article/K000160979) for specific instructions.
• Implement the Sigma rule “Detect iControl SOAP Configuration Modification” to detect suspicious SOAP requests targeting configuration objects.
• Enforce the principle of least privilege, limiting the number of users with Resource Administrator or Administrator roles on F5 devices.
• Monitor iControl SOAP logs for unusual activity, such as unexpected configuration changes or requests from unfamiliar IP addresses.