This vulnerability (CVE-2026-24464) in F5 BIG-IP involves a path traversal issue in an undisclosed iControl REST endpoint when running in Appliance mode. An attacker with administrator role privileges can exploit this to bypass security boundaries and delete files on the system. The affected versions are 21.0.0, 17.5.0, 17.1.0, and 16.1.0. The CVSS v3.1 base score is 6.8 (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N), indicating network attack vector, low attack complexity, high privileges required, no user interaction, scope changed, no confidentiality impact, high integrity impact, and no availability impact. No vendor advisory or patch information is currently available, and the product is not a cloud service.

An authenticated administrator can exploit this vulnerability to perform directory traversal attacks that allow deletion of files outside intended boundaries, impacting system integrity. There is no confidentiality or availability impact reported. The vulnerability could lead to unauthorized modification or removal of critical files, potentially disrupting system operations or configurations.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is currently documented, administrators should monitor F5's advisories for updates. Restrict administrator access to trusted personnel and consider additional access controls or compensating controls until a patch is available.