Cyber Resilience

CVE-2026-40698

HighRCEUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40698 is a high-severity Command Injection (CWE-77) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iControl REST or the TMOS shell (tmsh) resulting in privilege escalation. Note: Software…

more

versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability directly enables authenticated privilege escalation via command injection in configuration objects (CWE-77).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55125Shared CWE-77
CVE-2026-41953Shared CWE-77
CVE-2024-46662Shared CWE-77
CVE-2026-23862Shared CWE-77
CVE-2025-33249Shared CWE-77
CVE-2025-22472Shared CWE-77
CVE-2025-33181Shared CWE-77
CVE-2025-33180Shared CWE-77
CVE-2026-40061Shared CWE-77
CVE-2026-8632Shared CWE-77

Affected Assets

f5
big-ip access policy manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip advanced firewall manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip advanced web application firewall
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip analytics
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip application acceleration manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip application security manager
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip application visibility and reporting
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip automation toolchain
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip carrier-grade nat
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
f5
big-ip container ingress services
21.0.0 · 17.1.0 — 17.1.3 · 17.5.0 — 17.5.1 · 16.1.0 — 16.1.6
+12 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References