Description
An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated attacker using the iControl REST API can cause an information leak of BIG‑IP local account names, but not passwords. This weakness, classified as CWE‑732 for insufficient privilege checks, permits enumeration of user accounts, which may be leveraged for subsequent credential‑guessing or social engineering. The disclosure presents a moderate confidentiality risk but does not compromise credentials or system integrity.

Affected Systems

The vulnerability affects F5 BIG‑IP devices running any supported release that has not reached End of Technical Support. Specific affected versions are not listed in the advisory, so administrators should verify if their current image contains the latest patch for the iControl REST API.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available, making it unclear how frequently the flaw is exploited in the wild. Attackers need valid credentials to send requests to the REST interface, implying either a compromised local user or remote access with credentials is required. Because the vulnerability is not listed in the CISA KEV catalog, there is no known widespread exploitation, but the exposure of account names can aid in privileged escalation or phishing campaigns.

Generated by OpenCVE AI on May 13, 2026 at 17:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest F5 BIG‑IP patch that addresses the iControl REST issue.
  • Restrict iControl REST API access to trusted internal hosts by firewalling or subnet filtering.
  • Monitor and audit iControl REST request logs for suspicious activity and review account names for anomalies.

Generated by OpenCVE AI on May 13, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP iControl REST vulnerability
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-14T10:32:31.572Z

Reserved: 2026-04-30T23:04:20.031Z

Link: CVE-2026-42058

cve-icon Vulnrichment

Updated: 2026-05-13T16:09:12.461Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:46.243

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-42058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses