CVE-2026-40067 F5 CVE debrief

Who should care

Security teams and administrators responsible for BIG-IP Access Policy Manager should be aware of this vulnerability and take necessary actions to mitigate the risk. The vulnerability can be exploited by sending undisclosed traffic to the virtual server. F5 has provided a vendor advisory for mitigation.

Technical summary

The vulnerability exists in the BIG-IP APM access policy, which can cause the apmd process to terminate when undisclosed traffic is received. The affected products are BIG-IP Access Policy Manager versions 16.1.0 to 16.1.6, 17.1.0 to 17.1.3, and 17.5.0 to 17.5.1. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

This HIGH-severity vulnerability requires immediate attention from security teams and administrators. The vulnerability can be mitigated by applying the vendor advisory provided by F5.

Recommended defensive actions

• Apply the vendor advisory provided by F5 to mitigate the vulnerability.
• Restrict access to the virtual server to only trusted sources.
• Monitor the BIG-IP APM access policy for any suspicious activity.
• Consider upgrading to a non-vulnerable version of BIG-IP Access Policy Manager.
• Verify that the BIG-IP APM access policy is properly configured.

Evidence notes

The vulnerability is documented in the CVE record and the NVD detail page. The vendor advisory provided by F5 recommends mitigation steps. The affected products and versions are listed in the CVE record and the NVD detail page.

Official resources