Description
An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated attacker who holds the Resource Administrator or Administrator role on an F5 BIG‑IP device can use the iControl SOAP interface to create SNMP configuration objects, thereby gaining elevated privileges. The flaw is a classic command injection vulnerability (CWE‑78), allowing an attacker to execute arbitrary commands through the SOAP payload. This escalation can lead to full system compromise if the attacker subsequently uses the newly granted SNMP objects to manipulate device settings or access sensitive data.

Affected Systems

All F5 BIG‑IP software that supports the iControl SOAP interface is affected by this vulnerability. Versions that have reached End of Technical Support are not evaluated, so any supported release that has not yet been patched remains at risk.

Risk and Exploitability

The CVSS score of 8.5 categorizes the flaw as high severity. No EPSS score is available, and it is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating that no confirmed public exploitation has been reported yet. However, because the attack requires legitimate credentials with specific administrative roles, the exploitability largely depends on the privilege level of compromised accounts. An attacker who can obtain or masquerade as a Resource Administrator or Administrator will be able to create malicious SNMP objects and elevate their access rights, potentially leading to full system compromise.

Generated by OpenCVE AI on May 13, 2026 at 17:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent F5 BIG‑IP patch that addresses the iControl SOAP command injection issue.
  • Limit the assignment of Resource Administrator and Administrator roles to only trusted personnel, and regularly review role memberships.
  • If the iControl SOAP service or the SNMP configuration endpoint is not required for your environment, disable or block those services to eliminate the attack surface.

Generated by OpenCVE AI on May 13, 2026 at 17:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP iControl SOAP vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-14T03:56:22.049Z

Reserved: 2026-04-30T23:04:10.882Z

Link: CVE-2026-42924

cve-icon Vulnrichment

Updated: 2026-05-13T16:12:14.877Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:49.517

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-42924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses