Privilege Escalation Vulnerability in F5 iControl SOAP Configuration
CVE-2026-42924

8.5HIGH

Key Information:

Vendor: F5
Status: Big-ip
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42924?

An authenticated user with Resource Administrator or Administrator privileges can exploit the F5 iControl SOAP interface to create SNMP configuration objects, enabling unauthorized access and control over the network device. This flaw underscores the importance of access controls and timely security patches to mitigate potential threats.

Affected Version(s)

BIG-IP 21.0.0 < 21.0.0.1

BIG-IP 17.5.0 < 17.5.1.4

BIG-IP 17.1.0 < 17.1.3.1

References

https://my.f5.com/manage/s/article/K000160926

vendor-advisorypatch

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

F5 acknowledges Adam Logue for bringing this issue to our attention and following the highest standards of coordinated disclosure.

CVE-2026-42924 Data

JSON