CVE-2026-40699 F5 CVE debrief

Who should care

Organizations using F5 BIG-IP Access Policy Manager, specifically versions 17.1.0-17.1.3 and 17.5.0-17.5.1, should be aware of this vulnerability. Additionally, organizations with low-privileged authenticated users may be at risk. It is recommended to review the affected versions and take necessary actions.

Technical summary

The vulnerability exists in undisclosed pages in the Configuration utility of F5 BIG-IP Access Policy Manager. A low-privileged authenticated attacker may access undisclosed sensitive information. The vulnerability affects multiple F5 BIG-IP products, including BIG-IP Access Policy Manager, BIG-IP Advanced Firewall Manager, and others. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

This vulnerability has a high CVSS score of 7.1 and may allow a low-privileged authenticated attacker to access sensitive information. Organizations should prioritize patching or mitigating this vulnerability.

Recommended defensive actions

• Review the affected F5 BIG-IP versions and apply patches or mitigations as recommended by F5.
• Restrict access to the Configuration utility to only necessary users and networks.
• Monitor for suspicious activity and implement additional security controls as needed.
• Consider compensating controls, such as web application firewalls or intrusion detection systems.
• Review and update incident response plans to address potential exploitation.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. F5 has provided mitigation guidance through their support article K000156734. The vulnerability affects multiple F5 BIG-IP products and versions.

Official resources