CVE-2026-40060EXPLOITEDPATCHED

f5 · big-ip

BIG-IP Advanced WAF and ASM vulnerability

Description

When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Products

Vendor	Product	Versions
f5	big-ip	21.0.0, 17.5.0, 17.1.0, 16.1.0

References

https://my.f5.com/manage/s/article/K000160727(vendor-advisory, patch)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-40060 | F5 BIG-IP prior 17.1.3.1/17.5.1.4/21.0.0.1 Security Policy return value (K000160727)

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

21.1.021.0.0.117.5.1.417.1.3.1*

CWECWE-252

PublishedMay 13, 2026

Last enriched3h agov2

Trending Score56

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-42945EXP

NGINX ngx_http_rewrite_module vulnerability

Trending: 75

MEDIUMCVE-2026-40701EXP

NGINX ngx_http_ssl_module vulnerability

Trending: 58

MEDIUMCVE-2026-42934EXP

NGINX ngx_http_charset_module vulnerability

Trending: 58

HIGHCVE-2026-40629EXP

BIG-IP SSL/TLS vulnerability

Trending: 56

HIGHCVE-2026-40618EXP

BIG-IP SSL/TLS vulnerability

Trending: 56

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 13, 2026

Discovered by ZDM

May 13, 2026

Updated: description, severity, activelyExploited

May 13, 2026

Actively Exploited

May 13, 2026

Patch Available

May 13, 2026

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated severity to CRITICAL, changed exploit availability to false, and provided a more detailed description of the vulnerability.

descriptionseverityactivelyExploited

via VulDB

v14h ago

Initial creation