CVE-2026-40631 F5 CVE debrief

Who should care

Organizations using F5 BIG-IP products, especially those with versions 16.1.0 through 17.1.3 and 17.5.0 through 17.5.1, should be concerned. Administrators with Resource Administrator or Administrator roles are at risk. Immediate attention is required to apply mitigations or patches.

Technical summary

The vulnerability exists in the iControl SOAP interface of F5 BIG-IP products. An authenticated attacker with specific roles can exploit this by modifying configuration objects, leading to privilege escalation. Affected products include BIG-IP Access Policy Manager, Advanced Firewall Manager, Advanced Web Application Firewall, and many others across different versions. The CVSS score is 8.5, indicating a HIGH severity level.

Defensive priority

High. Apply vendor patches or mitigations immediately. Restrict access to iControl SOAP for sensitive roles.

Recommended defensive actions

• Apply F5 patches for affected BIG-IP versions.
• Implement compensating controls to restrict iControl SOAP access.
• Monitor for suspicious iControl SOAP activity.
• Inventory BIG-IP products for vulnerability.
• Follow F5's mitigation guidance (K000160979).
• Consider upgrading to non-vulnerable versions.

Evidence notes

CVE-2026-40631 is confirmed by F5 and NVD. Multiple CPEs are listed as vulnerable. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Official resources