Attack Chain

1. An attacker identifies a vulnerable BIG-IP system with an Advanced WAF or ASM security policy enabled on a virtual server.
2. The attacker crafts a series of undisclosed HTTP requests.
3. The attacker sends the malicious requests to the targeted virtual server.
4. The BIG-IP system processes the requests through the configured WAF/ASM security policy.
5. The crafted requests trigger a fault or unhandled exception within the bd process.
6. The bd process terminates unexpectedly as a result of the crafted malicious requests.
7. The termination of the bd process disrupts the normal operation of the BIG-IP system.
8. Web applications protected by the affected virtual server become unavailable, resulting in a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-40060 results in a denial-of-service (DoS) condition, rendering web applications protected by the vulnerable BIG-IP system unavailable. The impact is high in terms of availability, as legitimate users are unable to access the affected services. This can lead to business disruption, reputational damage, and potential financial losses for organizations relying on the affected BIG-IP systems. The specific number of victims and sectors targeted will vary depending on the prevalence of the vulnerable configuration.

Recommendation

• Refer to F5’s advisory K000160727 for detailed information and mitigation steps.
• Apply the necessary updates or workarounds provided by F5 Networks to address CVE-2026-40060 on vulnerable BIG-IP Advanced WAF and ASM deployments.
• Monitor web server logs for unusual traffic patterns or anomalies that may indicate exploitation attempts, and deploy the Sigma rule detecting bd process crashes to identify potential attacks.
• Implement rate limiting and traffic filtering mechanisms to mitigate the impact of potential denial-of-service attacks.