{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/big-iq-system/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-20916"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIG-IQ system"],"_cs_severities":["high"],"_cs_tags":["cve","arbitrary file modification","privilege escalation","web application"],"_cs_type":"threat","_cs_vendors":["F5 Networks"],"content_html":"\u003cp\u003eCVE-2026-20916 is a vulnerability affecting F5 BIG-IQ systems. It allows an authenticated user with low privileges to create or modify arbitrary files on the system. The vulnerability exists due to an undisclosed iControl REST endpoint that lacks proper authorization checks. Successful exploitation could allow an attacker to overwrite critical system files, execute arbitrary code, or escalate privileges. It\u0026rsquo;s important to note that F5 does not evaluate software versions that have reached End of Technical Support (EoTS) for this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the BIG-IQ system as a low-privileged user.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an undisclosed iControl REST endpoint vulnerable to arbitrary file modification.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the identified endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a file path and content to be written or modified. This path may leverage path traversal (CWE-22) to reach protected directories.\u003c/li\u003e\n\u003cli\u003eThe BIG-IQ system processes the request without proper authorization checks, allowing the attacker to write or modify the specified file.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a critical system file, such as a configuration file or startup script, to inject malicious code.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed when the system restarts or a related service is invoked.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution with elevated privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20916 can lead to significant consequences. An attacker could gain complete control of the affected BIG-IQ system, potentially disrupting network services and compromising sensitive data. Given the role of BIG-IQ in managing F5 devices, a successful attack could also lead to the compromise of other systems within the network. The impact is heightened by the relative ease of exploitation, requiring only low-privileged access and a crafted API request.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the updates or mitigations provided by F5 Networks in their security advisory [https://my.f5.com/manage/s/article/K000158029].\u003c/li\u003e\n\u003cli\u003eMonitor iControl REST endpoint access logs for suspicious activity, particularly POST requests with unusual file paths.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect attempts to write to sensitive file paths.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for all iControl REST users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:20:19Z","date_published":"2026-05-13T16:20:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-20916/","summary":"CVE-2026-20916 describes a vulnerability in F5 BIG-IQ where an authenticated user with low privileges can create or modify arbitrary files via an undisclosed iControl REST endpoint, potentially leading to privilege escalation or system compromise.","title":"CVE-2026-20916: F5 BIG-IQ iControl REST Arbitrary File Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-20916/"}],"language":"en","title":"CraftedSignal Threat Feed — BIG-IQ System","version":"https://jsonfeed.org/version/1.1"}