Description
An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisclosed iControl REST endpoint on the BIG-IQ system.
 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authenticated weakness that allows an attacker with low‑privilege iControl REST credentials to create or modify any file on a BIG‑IQ system through an undisclosed REST endpoint. Because this affects the file system directly, an attacker could overwrite configuration files, inject malicious scripts, or otherwise corrupt system state, compromising integrity. The weakness is a directory traversal type flaw (CWE‑22), where input validation is insufficient for path controls. The impact is that the attacker's normal privileges are boosted to effectively write arbitrary files, exposing the system to potential malicious code deployment.

Affected Systems

The affected system is F5 BIG‑IQ. No specific version constraints are listed; however, versions that have reached End of Technical Support are excluded from evaluation, so only supported releases are affected.

Risk and Exploitability

The CVSS score of 7.2 indicates a moderate to high severity. EPSS is not available, and the vulnerability is not listed in CISA KEV catalog. Attack requires valid user credentials but low privilege, so the likelihood of exploitation within a compromised environment is significant, especially if permissions are misconfigured. The file‑write capability provides a footholt that could lead to further attacks if the attacker can execute code or modify configurations. Network isolation and least‑privilege access are recommended to limit the risk.

Generated by OpenCVE AI on May 13, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the BIG‑IQ system to a patch level that resolves the iControl REST file‑write flaw.
  • Disable or limit the undisclosed iControl REST endpoint that permits file creation or modification.
  • Restrict iControl REST user roles so that low‑privilege accounts cannot write to the file system.
  • Deploy network segmentation or firewall rules to restrict external visibility of the BIG‑IQ management interfaces.
  • Enable logging and monitoring to detect unexpected file changes.

Generated by OpenCVE AI on May 13, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-iq
Vendors & Products F5
F5 big-iq

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisclosed iControl REST endpoint on the BIG-IQ system.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IQ iControl REST vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-iq
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:15:23.105Z

Reserved: 2026-01-21T21:33:16.387Z

Link: CVE-2026-20916

cve-icon Vulnrichment

Updated: 2026-05-13T16:15:17.341Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:36.210

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-20916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:00:14Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')