Advisory May 9, 2022

F5 BIG-IP: CVE-2022-1388 – Unauthenticated RCE Vulnerability

Obrela SOC

Last week, F5 released an update to its BIG-IP product, patching a vulnerability affecting the iControl REST and is tracked as CVE-2022-1388 and has a CVSS v3 severity rating of 9.8, categorized as critical.
The vulnerability would permit unauthenticated attackers to execute arbitrary system commands, create or delete files, or disable services.
CVE-2022-1388 allows undisclosed requests to bypass iControl REST authentication, just like CVE-2021-22986, which has been patched in March 2021 and subsequently leveraged by attackers.
At the time of publication, there were no public exploits for CVE-2022-1388. However, it’s likely only a matter of time before researchers and threat actors develop proof of concept exploit for this vulnerability. This weekend, cybersecurity researchers from Horizon3 and Positive Technologies announced on Twitter that they had developed exploits, and one stated that they would release an exploit publicly this week.

Affected Devices

Everything older than version 17. Patches are available for BIG-IP versions 13-16. BIG-IP version 11 and 12 are vulnerable with no available patch.


F5 has introduced fixes in v17.0.0, v16.1.2.2, v15.1.5.1, v14.1.4.6, and v13.1.5. The branches of 12.x and 11.x will not receive a fixing patch.
Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.