📄 Description (English)
A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iControl REST or the TMOS shell (tmsh) resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🤖 AI Executive Summary
CVE-2026-40698 is a privilege escalation vulnerability in F5 BIG-IP and BIG-IQ systems affecting authenticated users with Resource Administrator role or higher. An attacker can exploit SNMP configuration object creation via iControl REST or tmsh to escalate privileges. With a CVSS score of 8.7 and no patch currently available, this poses significant risk to organizations relying on F5 infrastructure for load balancing and security services.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 20, 2026 01:16
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses critical risk to Saudi banking sector (SAMA-regulated institutions, major banks using F5 for API gateways and DDoS protection), government agencies (NCA, NCSC infrastructure), telecommunications providers (STC, Mobily, Zain), and energy sector (ARAMCO, SEC). F5 BIG-IP systems are widely deployed in Saudi Arabia for load balancing, SSL/TLS termination, and WAF functions. Privilege escalation could lead to complete system compromise, unauthorized access to sensitive data, and disruption of critical services.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Telecommunications
Energy and Utilities
Healthcare
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
T1548 - Abuse Elevation Control Mechanism
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1078 - Valid Accounts
T1078.001 - Valid Accounts: Default Accounts
T1087 - Account Discovery
T1098 - Account Manipulation
T1098.001 - Account Manipulation: Additional Cloud Credentials
T1110 - Brute Force
T1556 - Modify Authentication Process
T1556.006 - Modify Authentication Process: Multi-Factor Authentication
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all BIG-IP and BIG-IQ systems in your environment and document their versions
2. Restrict access to iControl REST API and tmsh shell to only essential administrators
3. Implement network segmentation to limit access to management interfaces
4. Enable detailed audit logging for all SNMP configuration changes
5. Monitor for suspicious SNMP object creation attempts
COMPENSATING CONTROLS (until patch available):
6. Disable SNMP service if not required for operations
7. Implement IP whitelisting for iControl REST and tmsh access
8. Enforce multi-factor authentication for administrative access
9. Use VPN/bastion hosts for all management access
10. Implement role-based access control (RBAC) - limit Resource Administrator role assignments
DETECTION:
11. Monitor iControl REST logs for SNMP configuration object creation (POST requests to /mgmt/tm/sys/snmp/)
12. Monitor tmsh audit logs for 'create snmp' commands
13. Alert on any privilege escalation attempts or role modifications
14. Track failed authentication attempts to management interfaces
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أنظمة BIG-IP و BIG-IQ في بيئتك وتوثيق إصداراتها
2. تقييد الوصول إلى iControl REST API وقشرة tmsh للمسؤولين الأساسيين فقط
3. تنفيذ تقسيم الشبكة لتحديد الوصول إلى واجهات الإدارة
4. تفعيل تسجيل التدقيق المفصل لجميع تغييرات تكوين SNMP
5. مراقبة محاولات إنشاء كائنات SNMP المريبة
الضوابط البديلة (حتى توفر التصحيح):
6. تعطيل خدمة SNMP إذا لم تكن مطلوبة للعمليات
7. تنفيذ القائمة البيضاء للعناوين IP لوصول iControl REST و tmsh
8. فرض المصادقة متعددة العوامل للوصول الإداري
9. استخدام VPN أو أجهزة bastion لجميع وصول الإدارة
10. تنفيذ التحكم في الوصول القائم على الأدوار - تحديد تعيينات دور مسؤول الموارد
الكشف:
11. مراقبة سجلات iControl REST لإنشاء كائنات SNMP (طلبات POST إلى /mgmt/tm/sys/snmp/)
12. مراقبة سجلات تدقيق tmsh لأوامر 'create snmp'
13. التنبيه على أي محاولات تصعيد امتيازات أو تعديلات الأدوار
14. تتبع محاولات المصادقة الفاشلة لواجهات الإدارة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Access Control Policy
A.5.2.1 - User Registration and De-registration
A.5.2.2 - User Access Provisioning
A.5.3.1 - Management of Privileged Access Rights
A.5.4.1 - Password Management
A.8.2.1 - User Awareness and Training
A.12.4.1 - Event Logging
A.12.4.3 - Administrator and Operator Logs
🔵 SAMA CSF
ID.AM-1 - Asset Management
PR.AC-1 - Access Control Policy
PR.AC-3 - Access Enforcement
PR.AC-4 - Access Rights Management
PR.PT-1 - Audit and Accountability
DE.CM-1 - System Monitoring
DE.AE-1 - Audit Logging
🟡 ISO 27001:2022
A.5.1.1 - Policies for the use of information and other associated assets
A.5.2.1 - User registration and de-registration
A.5.2.2 - User access provisioning
A.5.3.1 - Management of privileged access rights
A.8.2.1 - Information security awareness, education and training
A.12.4.1 - Event logging
A.12.4.3 - Administrator and operator logs
🟣 PCI DSS v4.0.1
Requirement 2.1 - Configuration standards
Requirement 7 - Restrict access to data by business need to know
Requirement 8 - Identify and authenticate access
Requirement 10 - Track and monitor access to network resources
🔗 References & Sources 1