CVE-2024-26026

CWE-89 — SQL Injection CWE-200 — Information Exposure7 documents7 sources

Severity

7.5HIGH

EPSS

89.4%

top 0.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip Next Central Manager

Timeline

PublishedMay 8

Latest updateSep 25

Description

An SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5f5/big-ip_next_central_manager20.0.1 — 20.2.0

▶NVDf5/big-ip_next_central_manager20.0.1 — 20.2.0

🔴Vulnerability Details

GHSA

GHSA-fj43-9cjj-qw2v: An SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI)↗2024-05-08

▶

CVEList

BIG-IP Central Manager SQL Injection↗2024-05-08

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS F5 BIG-IP Next Central Manager SQL Injection (CVE-2024-26026)↗2024-09-25

▶

📋Vendor Advisories

CVE-2024-26026: An SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI)↗2024-05-08

▶

🕵️Threat Intelligence

Bleepingcomputer

New BIG-IP Next Central Manager bugs allow device takeover↗2024-05-08

▶