CVE-2026-42063: CWE-552 Files or Directories Accessible to External Parties in F5 BIG-IP
A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-42063) in F5 BIG-IP involves improper access control in the iControl SOAP interface, permitting authenticated users with elevated roles (Resource Administrator or Administrator) to download sensitive files. The CVSS 3.1 base score is 4.9, reflecting a medium severity with network attack vector, low attack complexity, and high privileges required. The vulnerability does not affect confidentiality, integrity, or availability beyond unauthorized file disclosure. No official remediation or patch has been documented yet, and no known exploits have been reported.
Potential Impact
An attacker with Resource Administrator or Administrator privileges can download sensitive files from the affected BIG-IP versions, potentially leading to unauthorized disclosure of sensitive information. There is no indication of impact on system integrity or availability. The vulnerability requires authenticated access with elevated privileges, limiting the scope of exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the iControl SOAP interface to trusted administrators only and monitor for any unusual file access activity by privileged users.
CVE-2026-42063: CWE-552 Files or Directories Accessible to External Parties in F5 BIG-IP
Description
A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-42063) in F5 BIG-IP involves improper access control in the iControl SOAP interface, permitting authenticated users with elevated roles (Resource Administrator or Administrator) to download sensitive files. The CVSS 3.1 base score is 4.9, reflecting a medium severity with network attack vector, low attack complexity, and high privileges required. The vulnerability does not affect confidentiality, integrity, or availability beyond unauthorized file disclosure. No official remediation or patch has been documented yet, and no known exploits have been reported.
Potential Impact
An attacker with Resource Administrator or Administrator privileges can download sensitive files from the affected BIG-IP versions, potentially leading to unauthorized disclosure of sensitive information. There is no indication of impact on system integrity or availability. The vulnerability requires authenticated access with elevated privileges, limiting the scope of exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the iControl SOAP interface to trusted administrators only and monitor for any unusual file access activity by privileged users.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- f5
- Date Reserved
- 2026-04-30T23:04:19.979Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a049713cbff5d8610dffde5
Added to database: 5/13/2026, 3:21:55 PM
Last enriched: 5/13/2026, 3:52:41 PM
Last updated: 5/14/2026, 6:52:21 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.