Skip to content
Threat Feed
high threat

F5 BIG-IP and BIG-IQ iControl REST/TMOS Shell Privilege Escalation Vulnerability (CVE-2026-40698)

CVE-2026-40698 allows a highly privileged, authenticated attacker with Resource Administrator privileges in F5 BIG-IP and BIG-IQ systems to create SNMP configuration objects via iControl REST or TMOS shell (tmsh), resulting in privilege escalation.

CVE-2026-40698 is a privilege escalation vulnerability affecting F5 BIG-IP and BIG-IQ systems. A remote, authenticated attacker who possesses at least Resource Administrator privileges can exploit this vulnerability to gain higher-level privileges within the system. The vulnerability stems from the ability to create arbitrary SNMP configuration objects through either the iControl REST API or the TMOS shell (tmsh). This can lead to the attacker gaining unauthorized control over the affected system. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated as part of this vulnerability disclosure.

Attack Chain

  1. Attacker authenticates to the BIG-IP or BIG-IQ system with Resource Administrator privileges.
  2. Attacker crafts a malicious SNMP configuration object using iControl REST API.
  3. Attacker sends the malicious configuration object to the iControl REST endpoint.
  4. Alternatively, attacker crafts a malicious SNMP configuration object using the TMOS shell (tmsh).
  5. Attacker executes the crafted SNMP configuration object via the TMOS shell.
  6. The system processes the malicious SNMP configuration object.
  7. The malicious SNMP configuration object is created.
  8. Attacker leverages the newly created SNMP configuration object to escalate privileges to gain unauthorized access.

Impact

Successful exploitation of CVE-2026-40698 allows an attacker with Resource Administrator privileges to escalate their privileges within the BIG-IP or BIG-IQ system. This can lead to complete system compromise, allowing the attacker to modify configurations, access sensitive data, and potentially disrupt services. The specific impact depends on the scope of the escalated privileges.

Recommendation

  • Apply the security patch or upgrade to a fixed version of BIG-IP or BIG-IQ as recommended by F5 Networks to remediate CVE-2026-40698 (https://my.f5.com/manage/s/article/K000160981).
  • Deploy the Sigma rule “Detect Suspicious SNMP Configuration via iControl REST” to detect potentially malicious SNMP configuration creation via iControl REST API.
  • Deploy the Sigma rule “Detect Suspicious SNMP Configuration via TMOS Shell” to detect potentially malicious SNMP configuration creation via TMOS shell.

Detection coverage 2

Detect Suspicious SNMP Configuration via iControl REST

high

Detects CVE-2026-40698 exploitation — creation of SNMP configuration objects via iControl REST that may lead to privilege escalation.

sigma tactics: privilege_escalation techniques: T1068, T1548.001 sources: webserver

Detect Suspicious SNMP Configuration via TMOS Shell

high

Detects CVE-2026-40698 exploitation — creation of SNMP configuration objects via TMOS shell (tmsh) that may lead to privilege escalation.

sigma tactics: privilege_escalation techniques: T1068, T1548.001 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →