Description
A directory traversal vulnerability exists in BIG-IP SSL Orchestrator that allows an authenticated attacker with high privilege to overwrite, delete or corrupt arbitrary local files.
 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A directory traversal flaw in the F5 BIG‑IP SSL Orchestrator allows an attacker who has already authenticated with high‑level privileges to overwrite, delete, or corrupt arbitrary local files. This path traversal (CWE‑22) vulnerability undermines the integrity of the system and can disrupt or compromise services.

Affected Systems

The issue affects F5’s BIG‑IP product and its connected SSL Orchestrator component. No specific version numbers are listed, but any supported installation that has not reached End of Technical Support may be vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS is not available, and the vulnerability is not in CISA’s KEV catalog. Exploitation requires an authenticated attacker with high‑privileges, so the risk largely depends on internal access controls and credential protection.

Generated by OpenCVE AI on May 13, 2026 at 17:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch for BIG‑IP SSL Orchestrator as released by F5
  • Restrict high‑privilege account usage and enforce the principle of least privilege to limit traversal exploitation
  • Implement file‑integrity monitoring to detect unauthorized overwrites or deletions of critical system files

Generated by OpenCVE AI on May 13, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
F5 ssl Orchestrator
Vendors & Products F5
F5 big-ip
F5 ssl Orchestrator

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A directory traversal vulnerability exists in BIG-IP SSL Orchestrator that allows an authenticated attacker with high privilege to overwrite, delete or corrupt arbitrary local files.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP SSL Orchestrator vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip Ssl Orchestrator
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:16:50.731Z

Reserved: 2026-04-30T23:02:33.926Z

Link: CVE-2026-42780

cve-icon Vulnrichment

Updated: 2026-05-13T16:16:43.412Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:48.303

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-42780

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:30:46Z

Weaknesses