Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (f5) · only source for this CVE.
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisclosed iControl REST endpoint on the BIG-IQ system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Authenticated low-privilege users can write arbitrary files to the BIG-IQ system filesystem via path traversal in an undisclosed iControl REST endpoint, enabling system compromise through configuration manipulation or code execution. F5 has released patches for supported versions. While requiring authentication (PR:L), the low complexity (AC:L) and network vector (AV:N) allow remote attackers with minimal access to achieve high integrity and availability impact through file overwrites of critical system or application files.
Technical ContextAI
BIG-IQ is F5's centralized management platform for BIG-IP devices, using iControl REST API for programmatic configuration and monitoring. This vulnerability exploits CWE-22 (Path Traversal) in an undisclosed iControl REST endpoint, where insufficient input validation allows authenticated users to escape intended directory boundaries using relative path sequences (e.g., '../') in API requests. The iControl REST framework should restrict file operations to designated directories based on user privilege levels, but the vulnerable endpoint fails to properly sanitize file path parameters. This enables low-privilege users to write files outside their authorized scope, potentially overwriting system configuration files, startup scripts, or web application code to escalate privileges or achieve code execution.
RemediationAI
Apply vendor-supplied patches immediately per F5 Security Advisory K000158029 (https://my.f5.com/manage/s/article/K000158029), which provides version-specific upgrade paths for supported BIG-IQ releases. Until patching is complete, implement network-level access controls restricting iControl REST API access to trusted administrative hosts only (not general network access), enforce least-privilege principles by auditing and removing unnecessary low-privilege API accounts, enable comprehensive API request logging to detect path traversal attempts (monitor for '../' sequences or absolute paths in file parameters), and review existing file integrity on BIG-IQ systems to identify any unauthorized modifications. Note that restricting API access may impact legitimate automation workflows and should be coordinated with application teams. If running an EoTS version, prioritize migration to a supported release as no patches will be issued for unsupported versions.
F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote authenticated users to change the password of arbitrary u
Remote code execution in F5 BIG-IP and BIG-IQ Configuration utility allows authenticated attackers with low privileges t
Command injection in F5 BIG-IP and BIG-IQ SNMP configuration allows highly privileged Resource Administrators to escalat
Configuration manipulation in F5 BIG-IP and BIG-IQ Certificate Manager allows authenticated attackers with high privileg
Arbitrary command execution in F5 BIG-IP and BIG-IQ Certificate Manager allows highly privileged attackers with Certific
BIG-IP QKView utility fails to properly sanitize sensitive data in diagnostic files, allowing authenticated attackers to
Incorrect permission assignment in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and iControl REST al
Incorrect permission assignment in F5 BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl R
Sensitive information disclosure in F5 BIG-IP and BIG-IQ allows authenticated administrators with resource administrator
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29957
GHSA-wph4-q4m8-f794