{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/icontrol/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-40631"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","f5","icontrol","soap"],"_cs_type":"advisory","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-40631 describes a privilege escalation vulnerability affecting F5 Networks products. An attacker who has already gained authenticated access with either Resource Administrator or Administrator privileges can exploit this vulnerability. The flaw resides in the iControl SOAP interface, which allows for the modification of configuration objects. By leveraging this vulnerability, an attacker can escalate their privileges within the system. This vulnerability is particularly relevant for organizations using F5 products for load balancing, security, or application delivery, as it could allow a compromised administrator account to gain full control over the affected system. Software versions that have reached End of Technical Support (EoTS) are not evaluated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial authenticated access to an F5 device with either Resource Administrator or Administrator privileges. This could be achieved through credential theft, phishing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the iControl SOAP interface as a means to modify configuration objects.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SOAP request targeting a specific configuration object.\u003c/li\u003e\n\u003cli\u003eThe malicious SOAP request is sent to the iControl SOAP endpoint.\u003c/li\u003e\n\u003cli\u003eThe F5 device processes the SOAP request, and due to the vulnerability, allows the modification of the targeted configuration object.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a configuration object to grant themselves higher privileges, such as creating a new administrative user or modifying existing user roles.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the escalated privileges to perform unauthorized actions, such as accessing sensitive data, modifying security policies, or disrupting network services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40631 allows an attacker to escalate privileges within the F5 system. This could lead to a complete compromise of the affected device, allowing the attacker to access sensitive data, modify security policies, and disrupt network services. This vulnerability has a high CVSS score of 8.7, highlighting the potential for significant damage. The number of victims and sectors targeted will depend on the prevalence of vulnerable F5 devices within different organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patches or mitigations provided by F5 Networks to address CVE-2026-40631. Refer to the F5 Networks advisory (\u003ca href=\"https://my.f5.com/manage/s/article/K000160979\"\u003ehttps://my.f5.com/manage/s/article/K000160979\u003c/a\u003e) for specific instructions.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect iControl SOAP Configuration Modification\u0026rdquo; to detect suspicious SOAP requests targeting configuration objects.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege, limiting the number of users with Resource Administrator or Administrator roles on F5 devices.\u003c/li\u003e\n\u003cli\u003eMonitor iControl SOAP logs for unusual activity, such as unexpected configuration changes or requests from unfamiliar IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:23:18Z","date_published":"2026-05-13T16:23:18Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40631-privesc/","summary":"An authenticated attacker with Resource Administrator or Administrator roles can modify configuration objects through iControl SOAP in F5 products, leading to privilege escalation via CVE-2026-40631.","title":"CVE-2026-40631: F5 iControl SOAP Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40631-privesc/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-41225"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["iControl REST"],"_cs_severities":["critical"],"_cs_tags":["cve","rce","f5","icontrol"],"_cs_type":"advisory","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-41225 is a critical vulnerability affecting F5 iControl REST. It enables a highly privileged attacker, authenticated with at least the Manager role, to create malicious configuration objects. This flaw stems from an incorrect use of privileged APIs, potentially allowing the injection of arbitrary commands. Successful exploitation leads to Remote Code Execution (RCE) on the affected system, compromising its integrity and availability. Note that End of Technical Support (EoTS) software versions are not evaluated for this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the iControl REST interface with Manager-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious configuration object containing commands for execution.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the iControl REST API to create or modify the malicious configuration object.\u003c/li\u003e\n\u003cli\u003eThe vulnerable API endpoint processes the configuration object without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe system executes the attacker-supplied commands within the context of the iControl REST process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the underlying system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform lateral movement, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe ultimate impact is full system compromise, including the ability to disrupt services, steal sensitive information, or install persistent backdoors.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41225 allows a privileged attacker to achieve arbitrary command execution. This can lead to a full system compromise, potentially affecting critical network infrastructure and services. The high CVSS score (9.1) reflects the significant risk posed by this vulnerability. Organizations using affected versions of F5 iControl REST are at risk of data breaches, service disruption, and other severe security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security updates provided by F5 Networks to remediate CVE-2026-41225.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for iControl REST access to limit the impact of potential compromises.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict lateral movement following a successful exploit.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect iControl REST Configuration Object Manipulation\u0026rdquo; to identify suspicious activity related to configuration object creation or modification via the iControl REST API.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging for iControl REST API calls to aid in incident investigation and detection efforts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:17:56Z","date_published":"2026-05-13T16:17:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-icontrol-rce/","summary":"CVE-2026-41225 allows a highly privileged, authenticated attacker with at least the Manager role to create configuration objects in F5 iControl REST, leading to arbitrary command execution.","title":"F5 iControl REST RCE Vulnerability (CVE-2026-41225)","url":"https://feed.craftedsignal.io/briefs/2026-05-icontrol-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Icontrol","version":"https://jsonfeed.org/version/1.1"}