CVE-2026-42780: BIG-IP SSL Orchestrator Path Traversal

CVE-2026-42780 Overview

CVE-2026-42780 is a directory traversal vulnerability in F5 BIG-IP SSL Orchestrator. The flaw allows an authenticated attacker holding high-privilege credentials to overwrite, delete, or corrupt arbitrary local files on the appliance. F5 published the issue in technical article K000149743. Software versions that have reached End of Technical Support (EoTS) were not evaluated by the vendor.

The weakness maps to CWE-22: Improper Limitation of a Pathname to a Restricted Directory. Exploitation requires authentication, which reduces opportunistic abuse but does not eliminate risk in environments where administrative credentials are shared or compromised.

Critical Impact

An authenticated high-privilege attacker can manipulate arbitrary files on a BIG-IP SSL Orchestrator appliance, undermining file integrity and potentially disrupting traffic inspection services.

Affected Products

• F5 BIG-IP SSL Orchestrator (supported versions per F5 advisory K000149743)
• BIG-IP platforms running SSL Orchestrator module
• Versions outside End of Technical Support were not assessed by F5

Discovery Timeline

• 2026-05-13 - CVE-2026-42780 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42780

Vulnerability Analysis

The vulnerability resides in BIG-IP SSL Orchestrator's handling of user-supplied path input. The product fails to properly restrict pathnames to an intended directory, classified under [CWE-22]. An authenticated administrator can submit crafted path sequences that traverse outside the expected working directory and reference arbitrary files on the underlying filesystem.

Successful exploitation impacts file integrity. An attacker can overwrite configuration files, delete log evidence, or corrupt binaries used by the appliance. The advisory does not indicate confidentiality or availability impact beyond what file corruption may cause downstream. SSL Orchestrator brokers decrypted traffic to inspection devices, so file corruption on the appliance can degrade the security inspection chain.

Exploitation prerequisites include valid administrative credentials and network access to the management interface. No user interaction is required. The vulnerability does not provide a direct code execution primitive, but file overwrite on a network appliance is frequently chained with subsequent persistence or denial of service techniques.

Root Cause

The root cause is improper sanitization of pathname inputs in an SSL Orchestrator administrative function. Path traversal sequences such as ../ are not normalized or rejected before the application performs filesystem write operations, allowing the resolved path to escape the intended directory.

Attack Vector

The attack vector is the network-accessible management plane of BIG-IP SSL Orchestrator. An attacker authenticates with a high-privilege account, then sends a request containing a manipulated path parameter that resolves to an arbitrary location on disk. The targeted operation writes, deletes, or truncates the file at the resolved location.

No public proof-of-concept exploit is referenced in the F5 advisory or the NVD entry at publication time. Refer to the F5 Technical Article K000149743 for vendor-supplied technical detail.

Detection Methods for CVE-2026-42780

Indicators of Compromise

• Unexpected modification timestamps on BIG-IP SSL Orchestrator configuration files or system binaries
• Administrative API or iControl REST requests containing ../, ..\, or URL-encoded traversal sequences in path parameters
• Missing or truncated audit and access logs on the appliance that cannot be correlated with scheduled rotation
• Authentication events from administrative accounts originating from unexpected source addresses

Detection Strategies

• Inspect management plane HTTP request logs for traversal patterns such as %2e%2e%2f and ..%2f targeting SSL Orchestrator endpoints
• Compare on-disk file hashes of configuration and binary directories against a known-good baseline
• Alert on administrative write operations performed outside scheduled change windows
• Correlate privileged session activity with file integrity monitoring events on the appliance

Monitoring Recommendations

• Forward BIG-IP audit logs and iControl REST access logs to a centralized log platform for long-term retention
• Enable file integrity monitoring against /config, /etc, and SSL Orchestrator-specific directories
• Monitor for administrative account creation, password changes, and role escalations on the appliance
• Track session origin, duration, and command activity for all high-privilege BIG-IP accounts

How to Mitigate CVE-2026-42780

Immediate Actions Required

• Apply the fixed BIG-IP SSL Orchestrator version listed in F5 Technical Article K000149743
• Restrict management interface access to a dedicated administrative network segment
• Rotate credentials for any administrative account that may have been exposed
• Review recent administrative activity and file modification history on affected appliances

Patch Information

F5 published remediation guidance in K000149743. Administrators should consult the article for the specific fixed versions corresponding to their deployed BIG-IP SSL Orchestrator branch. Versions past End of Technical Support were not evaluated and should be upgraded to a supported branch.

Workarounds

• Limit administrative accounts with the privilege required to reach the vulnerable function, applying least privilege to BIG-IP roles
• Enforce network access control lists on the management interface to permit only approved administrative hosts
• Require multi-factor authentication for all BIG-IP administrative logins
• Increase logging verbosity and ship logs off-box so a successful attack cannot delete local evidence

# Restrict BIG-IP management access to an administrative subnet
tmsh modify sys httpd allow replace-all-with { 10.10.0.0/24 }
tmsh modify sys sshd allow replace-all-with { 10.10.0.0/24 }
tmsh save sys config