Description
When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an authenticated attacker with administrator role privileges to cross a security boundary and delete files.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a directory traversal flaw in an undisclosed iControl REST endpoint that is active only when the device runs in Appliance mode. If an attacker can authenticate with administrator privileges, the endpoint can be exploited to delete arbitrary files by providing a path that traverses directories. The impact is loss of system or configuration files that the device relies on for operation.

Affected Systems

F5 BIG‑IP appliances operating in Appliance mode are affected. The CVE description does not specify affected firmware versions; however, the advisory notes that only supported versions are evaluated. Administrators should confirm whether their deployment is running in Appliance mode and whether it is on a supported firmware release.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity. EPSS is not available, so exploitation likelihood is unknown. The flaw is not listed in the CISA KEV catalog. The vulnerability requires valid administrator credentials and authenticated access; therefore, an attacker must first obtain privileged access before the directory traversal can be used to delete files.

Generated by OpenCVE AI on May 13, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and apply the latest F5 BIG‑IP firmware or patch that closes the iControl REST directory traversal vulnerability from the vendor support portal.
  • Restrict iControl REST access to a trusted administrative network segment and enforce strict role‑based permissions so only legitimate administrators can reach the endpoint.
  • Configure input validation policies or firewall rules to reject traversal patterns (e.g., '../') in REST requests and enforce path normalization at the application layer.
  • If Appliance mode is not required for your environment, consider disabling it to eliminate the vulnerable code path.

Generated by OpenCVE AI on May 13, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an authenticated attacker with administrator role privileges to cross a security boundary and delete files.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title Appliance mode iControl REST vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:08:17.492Z

Reserved: 2026-04-30T23:04:27.931Z

Link: CVE-2026-24464

cve-icon Vulnrichment

Updated: 2026-05-13T16:08:12.880Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:36.997

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-24464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:45:25Z

Weaknesses