CVE-2026-42058 Overview
CVE-2026-42058 is an information disclosure vulnerability in the F5 BIG-IP iControl REST interface. An authenticated attacker can issue undisclosed requests to the REST API and retrieve the names of BIG-IP local user accounts. The flaw is categorized under [CWE-732] Incorrect Permission Assignment for Critical Resource. F5 has documented the issue in its F5 Technical Article K000160903. Software versions that have reached End of Technical Support (EoTS) were not evaluated and remain out of scope.
Critical Impact
Authenticated attackers can enumerate local BIG-IP user account names through iControl REST, supplying reconnaissance data for follow-on credential attacks against management plane accounts.
Affected Products
- F5 BIG-IP (versions detailed in the F5 advisory)
- F5 BIG-IP iControl REST management interface
- BIG-IP local user account subsystem
Discovery Timeline
- 2026-05-13 - CVE-2026-42058 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42058
Vulnerability Analysis
The vulnerability resides in the BIG-IP iControl REST API, the primary programmatic management interface for F5 BIG-IP devices. Authenticated users with limited privileges can submit specific undisclosed requests that return BIG-IP local user account names. The condition maps to [CWE-732], where a resource is granted broader read access than its sensitivity warrants.
Account enumeration is reconnaissance, not direct compromise. Disclosed usernames feed targeted password spraying, credential stuffing, and social engineering against the management plane. Because BIG-IP devices terminate TLS, balance application traffic, and broker authentication, harvested administrator names raise the value of any subsequent credential attack. The EPSS probability sits at 0.041%, indicating low near-term exploitation likelihood, but the data returned has lasting reconnaissance value.
Root Cause
The root cause is overly permissive authorization on an iControl REST endpoint. The endpoint exposes user account metadata to authenticated callers without enforcing the role separation expected for administrative identity data. F5 has not published the specific endpoint path or parameter, treating it as an undisclosed request to slow opportunistic exploitation.
Attack Vector
Exploitation requires network access to the BIG-IP management interface and valid authenticated credentials (PR:L). The attacker sends an HTTPS request to the affected iControl REST endpoint. The response includes BIG-IP local user account names. No user interaction is required, and the attack does not modify configuration or impact availability. Confidentiality impact is limited to identity metadata (VC:L).
No verified public exploit code is available. See the F5 Technical Article K000160903 for vendor-specific technical details.
Detection Methods for CVE-2026-42058
Indicators of Compromise
- Authenticated iControl REST requests originating from unexpected source IPs or service accounts targeting user management endpoints under /mgmt/tm/auth/.
- Bursts of low-privilege API calls returning JSON payloads that include name fields for local accounts.
- Authenticated sessions performing API reconnaissance outside normal change windows or automation schedules.
Detection Strategies
- Enable verbose iControl REST audit logging and forward /var/log/restjavad-audit.0.log and /var/log/audit to a central log platform.
- Baseline normal API consumers and alert on new clients issuing read calls against authentication-related URIs.
- Correlate authenticated REST activity with management-plane source IPs to detect access from non-administrative segments.
Monitoring Recommendations
- Monitor for repeated 200 OK responses on undisclosed user-listing endpoints from a single token or session.
- Track failed login spikes that follow successful iControl REST queries, a sequence consistent with username harvesting then password spraying.
- Review role assignments for all BIG-IP local accounts and alert on read access by non-admin roles.
How to Mitigate CVE-2026-42058
Immediate Actions Required
- Apply the fixed version listed in F5 Technical Article K000160903 for your BIG-IP branch.
- Restrict iControl REST access to a dedicated management network and block exposure from user or internet-facing VLANs.
- Rotate credentials for any low-privilege BIG-IP accounts that may have been used to query the affected endpoint.
- Audit existing local user accounts and remove dormant or unnecessary administrative identities.
Patch Information
F5 has published guidance in F5 Technical Article K000160903. Upgrade BIG-IP to a supported, fixed release as listed in the advisory. Versions that have reached End of Technical Support are not evaluated and should be migrated to a supported branch.
Workarounds
- Limit iControl REST access using the BIG-IP management httpd allow list and firewall rules so only trusted administrative hosts can reach the API.
- Enforce least privilege for all BIG-IP local accounts and avoid issuing API tokens to operators who do not require them.
- Require multi-factor authentication on the management plane to reduce the value of harvested usernames.
# Restrict iControl REST and httpd management access to trusted hosts
tmsh modify sys httpd allow replace-all-with { 10.10.0.0/24 192.168.50.10 }
tmsh save sys config
# Review local user accounts and assigned roles
tmsh list auth user
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
