CVE-2026-42924: F5 iControl SOAP Privilege Escalation

/HIGH /CVSS 8.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-78
CVE-2026-42924: F5 iControl SOAP Privilege Escalation

The National Vulnerability Database has detailed CVE-2026-42924, a high-severity privilege escalation vulnerability impacting F5 iControl SOAP. An authenticated attacker, provided they hold either the Resource Administrator or Administrator role, can exploit this flaw by crafting SNMP configuration objects via iControl SOAP. This grants them elevated privileges beyond their initial scope.

Rated with a CVSS score of 8.7 (HIGH), this vulnerability presents a critical risk. The vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N indicates it’s network-exploitable with low attack complexity, requiring high privileges to initiate, but leading to high confidentiality and integrity impacts without user interaction. The attacker’s calculus here is clear: leverage existing, albeit high-level, access to jump to an even more powerful position within the system. This is an internal pivot point.

Defenders must recognize that relying solely on role-based access control is insufficient. This vulnerability highlights that even ‘trusted’ roles, if compromised or misused, can be leveraged for deeper system compromise. CISOs need to ensure rigorous auditing of administrative actions, especially those involving configuration changes via APIs like iControl SOAP. Patching is paramount, but so is understanding the attack path and monitoring for anomalous behavior from privileged accounts.

What This Means For You

  • If your organization utilizes F5 devices with iControl SOAP, you must prioritize patching for CVE-2026-42924. Review all administrative accounts with Resource Administrator or Administrator roles for suspicious activity, especially any related to SNMP configuration changes. This is a privilege escalation that can be chained with other attacks.

Related ATT&CK Techniques

T1278.003 Exploitation for Privilege Escalation Privilege Escalation T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-42924: F5 iControl SOAP SNMP Configuration Object Creation

Sigma YAML — free preview 
title: CVE-2026-42924: F5 iControl SOAP SNMP Configuration Object Creation
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects the specific iControl SOAP API call used by CVE-2026-42924 to create SNMP configuration objects, which leads to privilege escalation. This rule targets the initial access vector of the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42924/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      cs-uri|contains:
          - '/iControl/iControlSoap.fcgi'
      cs-uri-query|contains:
          - 'create_snmp_configuration_object'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42924 Privilege Escalation Authenticated attacker with Resource Administrator or Administrator role
CVE-2026-42924 Privilege Escalation SNMP configuration objects creation via iControl SOAP

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44577 — Next.js is a React framework for building full-stack web

CVE-2026-44577 — Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default...

vulnerabilityCVEmedium-severitycwe-770
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-44576 — Next.js is a React framework for building full-stack web

CVE-2026-44576 — Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can...

vulnerabilityCVEmedium-severitycwe-436
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 2 IOCs /⚙ 3 Sigma

Next.js App Router Flaw Bypasses Middleware Authorization

CVE-2026-44575 — Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on...

vulnerabilityCVEhigh-severitycwe-288
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma