F5 Warns of Critical Bug Allowing Remote Code Execution in BIG-IP Systems

The vulnerability is ‘critical’ with a CVSS severity rating of 9.8 out of 10.

Application service provider F5 is warning a critical vulnerability allows unauthenticated hackers with network access to execute arbitrary commands on its BIG-IP systems.

The F5 BIG-IP is a combination of software and hardware that is designed around access control, application availability and security solutions.

The vulnerability is tracked as CVE-2022-1388  with a severity rating of 9.8 out of 10 by the Common Vulnerabilities Scoring System (CVSS) version 3.90.
Infosec Insiders Newsletter

According to F5, the flaw resides in the representational state transfer (REST) interface for the iControl framework which is used to communicate between the F5 devices and users.

Threat actors can send undisclosed requests and leverage the flaw to bypass the iControl REST authentication and access the F5 BIG-IP systems, an attacker can execute arbitrary commands, create or delete files or disable servers.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” said F5 in an advisory. “There is no data plane exposure; this is a control plane issue only,” they added.

A self-IP address is an IP address on a BIG-IP system, that a customer uses to associate with VLAN.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert and advised users to apply the required updates.

Affected Versions

The security vulnerability that affects the BIG-IP product version are:

  • 1.0 to 16.1.2
  • 1.0 to 15.1.5
  • 1.0 to 14.1.4
  • 1.0 to 13.1.4
  • 1.0 to 12.1.6
  • 6.1 to 11.6.5

The F5 will not introduce fixes for versions 11.x (11.6.1 – 11.6.5) and 12.x (12.1.0 – 12.1.6).

The patches for versions v17.0.0, v16.1.2.2, v15.1.5.1, v14.1.4.6, and v13.1.5 were introduced by F5.

The advisory by F5 clarifies that the CVE-2022-1388 has no effect on other F5 products – BIG-IQ Centralized Management, F5OS-A, F5OS-C, or Traffic SDC.

F5 affected products and fixed versions

F5 affected products and fixed versions (Source: F5)

The BIG-IP devices are commonly integrated into the enterprises there is a significant threat of widespread attack.

Security researcher Nate Warfield reported in a tweet that nearly 16,000 BIG-IP devices are exposed to the internet. A query shared by Warfield shows the exposed devices on Shodan.

Most of the exposed BIG-IP devices are located in the USA, China, India, and Australia. These systems are allocated to Microsoft corporation, Google LLC, DigitalOcean, and Linode.


Three “temporary mitigation” methods were advised by F5, for those who can’t deploy security patches immediately.

According to F5 “You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses”. This can be done by changing the Port Lockdown settings to Allow None for each self-IP address in the system.

Another mitigation method is to restrict iControl REST access through the management interface or modify the BIG-IP httpd configuration.

Additionally, F5 has also released a more generic advisory to tackle another set of 17 high severity vulnerabilities discovered and fixed in BIG-IP.

In July 2020, a critical RCE bug left thousands of F5 BIG-IP users’ accounts vulnerable to an attacker.


Suggested articles