CVE-2026-40699
BIG-IP Configuration utility vulnerability
In short
The BIG-IP Configuration utility has hidden pages that a logged-in user with low privileges can access to view sensitive information they shouldn't see. This is a problem because attackers with basic account access can discover and read data meant to be restricted.
Technical detail
An XPath injection vulnerability (CWE-643) in undisclosed Configuration utility pages permits low-privileged authenticated users to bypass access controls and retrieve sensitive information. The attack requires prior authentication but no elevated privileges, allowing horizontal or vertical privilege escalation through information disclosure.
Summary generated and translated by AI from the official description.
A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
F5 · BIG-IPWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →