Skip to content
Threat Feed
high threat

CVE-2026-20916: F5 BIG-IQ iControl REST Arbitrary File Modification

CVE-2026-20916 describes a vulnerability in F5 BIG-IQ where an authenticated user with low privileges can create or modify arbitrary files via an undisclosed iControl REST endpoint, potentially leading to privilege escalation or system compromise.

CVE-2026-20916 is a vulnerability affecting F5 BIG-IQ systems. It allows an authenticated user with low privileges to create or modify arbitrary files on the system. The vulnerability exists due to an undisclosed iControl REST endpoint that lacks proper authorization checks. Successful exploitation could allow an attacker to overwrite critical system files, execute arbitrary code, or escalate privileges. It’s important to note that F5 does not evaluate software versions that have reached End of Technical Support (EoTS) for this vulnerability.

Attack Chain

  1. An attacker authenticates to the BIG-IQ system as a low-privileged user.
  2. The attacker identifies an undisclosed iControl REST endpoint vulnerable to arbitrary file modification.
  3. The attacker crafts a malicious request to the identified endpoint.
  4. The crafted request includes a file path and content to be written or modified. This path may leverage path traversal (CWE-22) to reach protected directories.
  5. The BIG-IQ system processes the request without proper authorization checks, allowing the attacker to write or modify the specified file.
  6. The attacker modifies a critical system file, such as a configuration file or startup script, to inject malicious code.
  7. The injected code is executed when the system restarts or a related service is invoked.
  8. The attacker achieves arbitrary code execution with elevated privileges.

Impact

Successful exploitation of CVE-2026-20916 can lead to significant consequences. An attacker could gain complete control of the affected BIG-IQ system, potentially disrupting network services and compromising sensitive data. Given the role of BIG-IQ in managing F5 devices, a successful attack could also lead to the compromise of other systems within the network. The impact is heightened by the relative ease of exploitation, requiring only low-privileged access and a crafted API request.

Recommendation

  • Apply the updates or mitigations provided by F5 Networks in their security advisory [https://my.f5.com/manage/s/article/K000158029].
  • Monitor iControl REST endpoint access logs for suspicious activity, particularly POST requests with unusual file paths.
  • Implement the Sigma rule provided below to detect attempts to write to sensitive file paths.
  • Review and enforce the principle of least privilege for all iControl REST users.

Detection coverage 2

Detects CVE-2026-20916 Attempt — iControl REST Arbitrary File Write

high

Detects attempts to exploit CVE-2026-20916 by identifying suspicious iControl REST requests that attempt to write to sensitive file paths

sigma tactics: persistence, privilege_escalation techniques: T1547.001 sources: webserver

Detects CVE-2026-20916 Attempt — iControl REST Request with Path Traversal

medium

Detects CVE-2026-20916 exploitation attempt — iControl REST request containing path traversal sequences.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →