Description
A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.

 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability manifests in iControl REST on F5 BIG-IP when a user possessing the Manager role commands the creation of configuration objects. The objects can be crafted to run arbitrary commands on the device’s operating system, effectively giving the authenticated attacker full command-line control. This flaw is rooted in improper validation of object contents, allowing privileged users to instruct the system to execute unmanaged code, a classic example of an arbitrary code execution vulnerability.

Affected Systems

Affected systems are F5 BIG-IP appliances that expose iControl REST and have not yet migrated away from versions within the supported technical support window. The advisory specifically notes that software versions which have reached End of Technical Support are not evaluated, so only currently supported releases are at risk.

Risk and Exploitability

The CVSS score of 8.6 classifies this issue as high severity. EPSS data is not available, and the vulnerability does not appear in the CISA KEV catalog. The attack requires an authenticated user with Manager-level permissions; therefore, the primary attack vector is a privileged attacker who can already log in to the REST API. Once the role is obtained, the victim may conduct lateral movement or install persistent backdoors via the command shell, leading to full compromise of the BIG-IP device.

Generated by OpenCVE AI on May 13, 2026 at 17:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued security patch for BIG‑IP that restricts configuration object creation to trusted users only
  • Upgrade to the latest supported BIG‑IP release where the iControl REST flaw has been fixed
  • Restrict the Manager role to the minimum necessary users and enforce least‑privilege principles for REST API access

Generated by OpenCVE AI on May 13, 2026 at 17:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title iControl REST vulnerability
Weaknesses CWE-648
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-14T03:56:27.605Z

Reserved: 2026-04-30T23:04:10.907Z

Link: CVE-2026-41225

cve-icon Vulnrichment

Updated: 2026-05-13T16:11:03.781Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:44.777

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-41225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses