CVE-2026-42924

Name: CVE-2026-42924
Creator: NVD / NIST
Published: 2026-05-13T16:16:49.517+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.5/10EPSS 0.25%

Last modified Jun 18, 2026

CVE-2026-42924 is a high-severity vulnerability rated 8.5/10 on the CVSS scale. An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.. EPSS estimates a 0.25% chance of exploitation in the next 30 days.

Description

An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Metrics

CVSS 3.1

8.7/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CVSS 4.0

8.5/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.25%

16.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-78

Affected Software

Vendor	Product	Versions
F5	Big-Ip Access Policy Manager	21.0.0
F5	Big-Ip Advanced Firewall Manager	21.0.0
F5	Big-Ip Advanced Web Application Firewall	21.0.0
F5	Big-Ip Analytics	21.0.0
F5	Big-Ip Application Acceleration Manager	21.0.0
F5	Big-Ip Application Security Manager	21.0.0
F5	Big-Ip Application Visibility And Reporting	21.0.0
F5	Big-Ip Automation Toolchain	21.0.0
F5	Big-Ip Carrier-Grade Nat	21.0.0
F5	Big-Ip Container Ingress Services	21.0.0
F5	Big-Ip Ddos Hybrid Defender	21.0.0
F5	Big-Ip Domain Name System	21.0.0
F5	Big-Ip Edge Gateway	21.0.0
F5	Big-Ip Fraud Protection Service	21.0.0
F5	Big-Ip Global Traffic Manager	21.0.0
F5	Big-Ip Link Controller	21.0.0
F5	Big-Ip Local Traffic Manager	21.0.0
F5	Big-Ip Policy Enforcement Manager	21.0.0
F5	Big-Ip Ssl Orchestrator	21.0.0
F5	Big-Ip Webaccelerator	21.0.0
F5	Big-Ip Websafe	21.0.0
F5	Big-Ip Access Policy Manager	>= 17.1.0, <= 17.1.3
F5	Big-Ip Access Policy Manager	>= 17.5.0, <= 17.5.1
F5	Big-Ip Advanced Firewall Manager	>= 17.1.0, <= 17.1.3
F5	Big-Ip Advanced Firewall Manager	>= 17.5.0, <= 17.5.1
F5	Big-Ip Advanced Web Application Firewall	>= 17.1.0, <= 17.1.3
F5	Big-Ip Advanced Web Application Firewall	>= 17.5.0, <= 17.5.1
F5	Big-Ip Analytics	>= 17.1.0, <= 17.1.3
F5	Big-Ip Analytics	>= 17.5.0, <= 17.5.1
F5	Big-Ip Application Acceleration Manager	>= 17.1.0, <= 17.1.3
F5	Big-Ip Application Acceleration Manager	>= 17.5.0, <= 17.5.1
F5	Big-Ip Application Security Manager	>= 17.1.0, <= 17.1.3
F5	Big-Ip Application Security Manager	>= 17.5.0, <= 17.5.1
F5	Big-Ip Application Visibility And Reporting	>= 17.1.0, <= 17.1.3
F5	Big-Ip Application Visibility And Reporting	>= 17.5.0, <= 17.5.1
F5	Big-Ip Automation Toolchain	>= 17.1.0, <= 17.1.3
F5	Big-Ip Automation Toolchain	>= 17.5.0, <= 17.5.1
F5	Big-Ip Carrier-Grade Nat	>= 17.1.0, <= 17.1.3
F5	Big-Ip Carrier-Grade Nat	>= 17.5.0, <= 17.5.1
F5	Big-Ip Container Ingress Services	>= 17.1.0, <= 17.1.3
F5	Big-Ip Container Ingress Services	>= 17.5.0, <= 17.5.1
F5	Big-Ip Ddos Hybrid Defender	>= 17.1.0, <= 17.1.3
F5	Big-Ip Ddos Hybrid Defender	>= 17.5.0, <= 17.5.1
F5	Big-Ip Domain Name System	>= 17.1.0, <= 17.1.3
F5	Big-Ip Domain Name System	>= 17.5.0, <= 17.5.1
F5	Big-Ip Edge Gateway	>= 17.1.0, <= 17.1.3
F5	Big-Ip Edge Gateway	>= 17.5.0, <= 17.5.1
F5	Big-Ip Fraud Protection Service	>= 17.1.0, <= 17.1.3
F5	Big-Ip Fraud Protection Service	>= 17.5.0, <= 17.5.1
F5	Big-Ip Global Traffic Manager	>= 17.1.0, <= 17.1.3

Showing 50 of 84 affected configurations. See NVD for the full list.

References

https://my.f5.com/manage/s/article/K000160926Mitigation, Vendor Advisory

Timeline

Published: May 13, 2026
Last Modified: Jun 18, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-42924?

How severe is CVE-2026-42924?

CVE-2026-42924 has a CVSS score of 8.5/10 (HIGH severity). The EPSS model estimates a 0.25% probability of exploitation in the next 30 days.

How do I fix CVE-2026-42924?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-42924?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST