Description
A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the iControl SOAP interface allows an authenticated attacker possessing the Resource Administrator or Administrator role to retrieve sensitive files from the F5 BIG‑IP system. The vulnerability enables unauthorized disclosure of data that could include configuration, documentation, or logs, thereby compromising confidentiality and potentially aiding further attacks. The weakness maps to a permissions issue where privileged users can read files beyond their intended scope (CWE‑552).

Affected Systems

The affected product is F5 BIG‑IP. Software versions that have reached End of Technical Support are not evaluated for this issue.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited known exploitation at this time. Exploitation requires a valid authenticated session with at least Resource Administrator or Administrator rights, and the attacker must be able to send SOAP requests to the target system. Once accessed, the attacker can download any readable file from the file system via the SOAP interface.

Generated by OpenCVE AI on May 13, 2026 at 17:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether iControl SOAP is enabled on your F5 BIG‑IP installation and limit access to trusted administrative networks.
  • Ensure that only necessary users are assigned the Resource Administrator or Administrator roles; consider a role‑based access control policy that minimizes file access rights.
  • Apply the latest F5 firmware or security patch that resolves the iControl SOAP file disclosure issue as soon as it becomes available, and confirm that file download capabilities are removed for non‑privileged roles.

Generated by OpenCVE AI on May 13, 2026 at 17:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title iControl SOAP vulnerability
Weaknesses CWE-552
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:10:54.359Z

Reserved: 2026-04-30T23:04:19.979Z

Link: CVE-2026-42063

cve-icon Vulnrichment

Updated: 2026-05-13T16:10:49.867Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:46.440

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-42063

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:45:25Z

Weaknesses