CVE-2026-42924 Overview
CVE-2026-42924 is a privilege escalation vulnerability in F5 iControl SOAP. An authenticated attacker holding the Resource Administrator or Administrator role can create SNMP configuration objects through the iControl SOAP interface. Creating these objects results in privilege escalation beyond the attacker's existing role boundary.
The weakness is categorized under [CWE-78] (OS Command Injection). F5 notes that software versions which have reached End of Technical Support (EoTS) are not evaluated in this advisory.
Critical Impact
Authenticated administrators can escalate privileges on F5 systems by abusing SNMP object creation through iControl SOAP, breaking the boundary between administrative roles and underlying operating system access.
Affected Products
- F5 BIG-IP products exposing the iControl SOAP interface
- Configurations permitting Resource Administrator or Administrator role assignments
- Versions enumerated in F5 Security Article K000160926; EoTS versions are not evaluated
Discovery Timeline
- 2026-05-13 - CVE-2026-42924 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42924
Vulnerability Analysis
The vulnerability resides in how F5 iControl SOAP processes SNMP configuration object creation. iControl SOAP is the legacy XML-based API used to administer F5 BIG-IP devices. SNMP configuration objects on these systems can reference command strings or scripts that the SNMP daemon executes with elevated privileges.
When a Resource Administrator or Administrator submits a crafted SOAP request, the server creates the SNMP object without sufficiently restricting executable content. This crosses a trust boundary because these roles are intended to manage application configuration rather than execute arbitrary OS commands.
The [CWE-78] classification indicates that attacker-controlled input flows into operating system command execution. Exploitation yields code execution at the privilege level of the SNMP subsystem, effectively elevating the authenticated user beyond their assigned role.
Root Cause
The iControl SOAP handler for SNMP object creation does not enforce role-based restrictions on fields that translate to OS-level command execution. Resource Administrator was designed as a constrained role, yet the SOAP endpoint accepts inputs that the SNMP daemon later executes as a shell command.
Attack Vector
The attack vector is network-based but requires high privileges. An attacker must first obtain credentials for a Resource Administrator or Administrator account. With that access, the attacker sends a SOAP request to the iControl endpoint that defines an SNMP configuration object containing an embedded command payload.
The vulnerability is described in prose because no public proof-of-concept code has been released. Refer to F5 Security Article K000160926 for vendor-supplied technical detail.
Detection Methods for CVE-2026-42924
Indicators of Compromise
- Unexpected SOAP requests to iControl endpoints targeting SNMP configuration objects, particularly Management::SNMPConfiguration methods
- Creation or modification of SNMP traps, communities, or pass-through configurations outside of change windows
- New child processes spawned by the SNMP daemon (snmpd) that do not match a baseline of expected utilities
- Authentication events for Resource Administrator accounts immediately followed by SNMP configuration changes
Detection Strategies
- Enable iControl SOAP audit logging and alert on create, modify, or add operations against SNMP object types
- Correlate F5 audit logs with process telemetry to flag command execution descended from snmpd
- Baseline normal SNMP configuration activity per administrator and alert on deviations
Monitoring Recommendations
- Forward F5 BIG-IP audit, secure, and SOAP logs to a centralized SIEM for cross-source correlation
- Monitor administrative role assignments and changes to the Resource Administrator group
- Track outbound connections initiated from BIG-IP management plane interfaces that deviate from operational norms
How to Mitigate CVE-2026-42924
Immediate Actions Required
- Apply the fixed versions identified in F5 Security Article K000160926 as soon as the update window allows
- Audit all accounts holding Resource Administrator or Administrator roles and remove unnecessary assignments
- Rotate credentials for any administrative account that may have been exposed
- Restrict management plane access to a dedicated administrative network
Patch Information
F5 has published remediation guidance in F5 Security Article K000160926. Customers should consult the article for the list of fixed releases mapped to their deployed BIG-IP version. End of Technical Support (EoTS) branches are not evaluated and should be upgraded to a supported release.
Workarounds
- Disable the iControl SOAP interface where it is not required for operational tooling
- Apply network access controls that restrict iControl SOAP to a defined set of management hosts
- Enforce least privilege by replacing Administrator and Resource Administrator assignments with more restrictive roles where feasible
- Require multi-factor authentication for all administrative access to BIG-IP management interfaces
# Example: restrict iControl SOAP access via TMSH self IP port lockdown
tmsh modify net self <self-ip> allow-service { tcp:443 }
tmsh modify sys httpd allow replace-all-with { <management-subnet> }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
