CVE-2026-40462 F5 CVE debrief

Who should care

Security teams and administrators responsible for F5 products should be aware of this vulnerability. The vulnerability affects various F5 products, including BIG-IP Access Policy Manager, BIG-IP Advanced Firewall Manager, and others. Affected organizations should review the vendor advisory and apply necessary mitigations.

Technical summary

The vulnerability exists in iControl REST and TMOS shell (tmsh) undisclosed command, allowing authenticated attackers to view sensitive information. The vulnerability affects F5 products, including BIG-IP Access Policy Manager, BIG-IP Advanced Firewall Manager, BIG-IP Advanced Web Application Firewall, and others. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High

Recommended defensive actions

• Review and apply vendor advisory K000156581
• Inventory and assess F5 product versions for potential vulnerability
• Implement compensating controls to limit access to sensitive information
• Monitor for suspicious activity related to iControl REST and TMOS shell (tmsh)
• Consider upgrading to non-vulnerable versions of F5 products

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. The vendor advisory K000156581 offers mitigation guidance. The vulnerability affects multiple F5 products, and software versions that have reached End of Technical Support (EoTS) are not evaluated.

Official resources