Skip to main content

BIG-IQ EUVDEUVD-2026-29957

| CVE-2026-20916 HIGH
Path Traversal (CWE-22)
2026-05-13 f5 GHSA-wph4-q4m8-f794
7.2
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (f5) · only source for this CVE.

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
May 13, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 16:22 NVD
8.1 (HIGH) 7.2 (HIGH)
Analysis Generated
May 13, 2026 - 15:45 vuln.today
CVE Published
May 13, 2026 - 14:12 nvd
HIGH 8.1

DescriptionCVE.org

An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisclosed iControl REST endpoint on the BIG-IQ system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Authenticated low-privilege users can write arbitrary files to the BIG-IQ system filesystem via path traversal in an undisclosed iControl REST endpoint, enabling system compromise through configuration manipulation or code execution. F5 has released patches for supported versions. While requiring authentication (PR:L), the low complexity (AC:L) and network vector (AV:N) allow remote attackers with minimal access to achieve high integrity and availability impact through file overwrites of critical system or application files.

Technical ContextAI

BIG-IQ is F5's centralized management platform for BIG-IP devices, using iControl REST API for programmatic configuration and monitoring. This vulnerability exploits CWE-22 (Path Traversal) in an undisclosed iControl REST endpoint, where insufficient input validation allows authenticated users to escape intended directory boundaries using relative path sequences (e.g., '../') in API requests. The iControl REST framework should restrict file operations to designated directories based on user privilege levels, but the vulnerable endpoint fails to properly sanitize file path parameters. This enables low-privilege users to write files outside their authorized scope, potentially overwriting system configuration files, startup scripts, or web application code to escalate privileges or achieve code execution.

RemediationAI

Apply vendor-supplied patches immediately per F5 Security Advisory K000158029 (https://my.f5.com/manage/s/article/K000158029), which provides version-specific upgrade paths for supported BIG-IQ releases. Until patching is complete, implement network-level access controls restricting iControl REST API access to trusted administrative hosts only (not general network access), enforce least-privilege principles by auditing and removing unnecessary low-privilege API accounts, enable comprehensive API request logging to detect path traversal attempts (monitor for '../' sequences or absolute paths in file parameters), and review existing file integrity on BIG-IQ systems to identify any unauthorized modifications. Note that restricting API access may impact legitimate automation workflows and should be coordinated with application teams. If running an EoTS version, prioritize migration to a supported release as no patches will be issued for unsupported versions.

Share

EUVD-2026-29957 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy