📄 Description (English)
An authenticated iControl SOAP user may be able to obtain information of other accounts.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🤖 AI Executive Summary
CVE-2026-35062 is a medium-severity information disclosure vulnerability in F5 iControl SOAP that allows authenticated users to access account information of other users. While no public exploit is available and patches are not yet released, the vulnerability poses a risk to organizations using iControl for administrative access. The impact is limited to information disclosure rather than system compromise, but could facilitate privilege escalation or social engineering attacks.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 15, 2026 11:20
🇸🇦 Saudi Arabia Impact Assessment
Saudi banking institutions (SAMA-regulated banks) and government agencies using F5 iControl for administrative management face information disclosure risks. Telecom operators (STC, Mobily) managing network infrastructure through iControl could expose administrative credentials and user account details. Healthcare organizations and energy sector entities (ARAMCO, SEC) using F5 load balancers with iControl administration are at risk. The vulnerability primarily affects administrative access control and could compromise the confidentiality of system administrator accounts and service accounts.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Telecommunications
Healthcare
Energy and Utilities
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all F5 iControl SOAP deployments across your infrastructure
2. Restrict iControl SOAP access to trusted administrative networks only using firewall rules
3. Implement network segmentation to isolate iControl management interfaces
4. Enable comprehensive audit logging for all iControl SOAP authentication and account access attempts
5. Review access logs for unauthorized account information queries
Compensating Controls:
6. Implement role-based access control (RBAC) with least privilege principles for iControl users
7. Enforce multi-factor authentication (MFA) for all iControl administrative accounts
8. Deploy intrusion detection signatures to monitor for suspicious iControl SOAP queries
9. Implement API rate limiting on iControl SOAP endpoints
10. Regularly audit and remove unnecessary iControl user accounts
Patching:
11. Monitor F5 security advisories for patch availability
12. Plan immediate patching upon patch release
13. Test patches in non-production environments first
Detection:
14. Monitor for SOAP requests querying account information from non-administrative contexts
15. Alert on failed authentication attempts followed by successful account enumeration queries
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع نشرات F5 iControl SOAP عبر البنية التحتية الخاصة بك
2. تقييد وصول iControl SOAP إلى شبكات إدارية موثوقة فقط باستخدام قواعد جدار الحماية
3. تطبيق تقسيم الشبكة لعزل واجهات إدارة iControl
4. تفعيل تسجيل التدقيق الشامل لجميع محاولات المصادقة والوصول إلى الحسابات في iControl SOAP
5. مراجعة سجلات الوصول للاستعلامات غير المصرح بها عن معلومات الحسابات
الضوابط البديلة:
6. تطبيق التحكم في الوصول القائم على الأدوار (RBAC) مع مبادئ الامتياز الأقل لمستخدمي iControl
7. فرض المصادقة متعددة العوامل (MFA) لجميع حسابات iControl الإدارية
8. نشر توقيعات كشف التسلل لمراقبة استعلامات iControl SOAP المريبة
9. تطبيق تحديد معدل API على نقاط نهاية iControl SOAP
10. تدقيق منتظم وإزالة حسابات مستخدمي iControl غير الضرورية
التصحيح:
11. مراقبة استشارات أمان F5 لتوفر التصحيحات
12. التخطيط للتصحيح الفوري عند توفر التصحيح
13. اختبار التصحيحات في بيئات غير الإنتاج أولاً
الكشف:
14. مراقبة طلبات SOAP التي تستعلم عن معلومات الحسابات من سياقات غير إدارية
15. التنبيه على محاولات المصادقة الفاشلة متبوعة باستعلامات تعداد الحسابات الناجحة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User access management and authentication
ECC 2024 A.9.4.3 - Password management and access control
ECC 2024 A.8.2.3 - Segregation of duties and access control
ECC 2024 A.12.4.1 - Event logging and monitoring
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset management and inventory
SAMA CSF PR.AC-1 - Access control policy and procedures
SAMA CSF PR.AC-4 - Access rights and privileges management
SAMA CSF DE.AE-1 - Audit and accountability mechanisms
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.2 - User access management
ISO 27001:2022 A.8.3 - User responsibilities
ISO 27001:2022 A.8.4 - Access rights review
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Inventory of system components
PCI DSS 7.1 - Limit access to system components
PCI DSS 8.1 - User identification and authentication
PCI DSS 10.2 - Implement automated audit trails
🔗 References & Sources 1