Directory Traversal Vulnerability in F5 Networks iControl REST API
CVE-2026-24464

6.9MEDIUM

Key Information:

Vendor: F5
Status: Big-ip
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-24464?

A directory traversal vulnerability exists in an undisclosed iControl REST endpoint when operating in Appliance mode. This vulnerability allows an authenticated attacker with administrator role privileges to navigate outside of the intended security boundaries and potentially delete critical files within the system. It is particularly concerning as it can be exploited by users with elevated permissions, making it essential for affected organizations to mitigate this risk promptly.

Affected Version(s)

BIG-IP 21.0.0 < 21.0.0.2

BIG-IP 17.5.0 < 17.5.1.6

BIG-IP 17.1.0 < 17.1.3.2

References

https://my.f5.com/manage/s/article/K000160911

vendor-advisorypatch

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

CVE-2026-24464 Data

JSON