Missing Endpoint Authentication in F5 BIG-IP Leads to Remote Code Execution

Originally published at: https://cloudsek.com/threatintelligence/missing-endpoint-authentication-in-f5-big-ip-leads-to-remote-code-execution-2/



Vulnerability Intelligence

Vulnerability Class:

Remote Code Execution



CVSS:3.0 Score:


Executive Summary

  • CloudSEK’s Threat Research & Information Analytics Division(TRIAD) has conducted an investigation to ascertain the severity of the newly identified vulnerability CVE-2022-1388 present in the F5 BIG-IP.
  • F5, Inc. is an American technology company specializing in application security, multi-cloud management, online fraud prevention, application delivery networking, application availability & performance, network security, and access & authorization.
  • The vulnerability was identified by F5 internally and a patch was released but the difference in code allowed threat actors to make a working exploit for the CVE.
  • Attackers can exploit the vulnerability to gain an initial foothold in the infrastructure and thereafter achieve unauthenticated Remote Code Execution (RCE) and perhaps reverse shell access to the attacker. Threat actors have already initiated scanning for this vulnerability in significant numbers.
Image depicting Workflow of CVE-2022-1388



  • CVE-2022-1388 is an RCE vulnerability that occurs due to missing authentication from critical endpoints.
  • The vulnerability has a very straightforward exploit using which an attacker can view/delete files, change the system configuration, execute remote commands, etc.
  • The table below contains a list of the affected versions along with their patched equivalents.
Branch Affected Versions Fixed Versions
17.x None 17.0.0
16.x 16.1.0 – 16.1.2 16.1.22
15.x 15.1.0 – 15.1.5
14.x 14.1.0 – 14.1.4
13.x 13.1.0 – 13.1.4 13.1.5
12.x 12.1.0 – 12.1.6 EOL – No fix available
11.x 11.6.1 – 11.6.5 EOL – No fix available

The Exploit

  • As depicted in the image below, an attacker can make a request to a vulnerable endpoint /mgmt/tm/util/bash using a command and the results will be revealed.
  • This happens because a critical endpoint, such as /mgmt/tm/util/bash, is not authenticated.
Image depicting the exploitation POC where the ‘cat’ command can be replaced with other malicious payloads



  • F5 Big IP iControl REST has previously encountered an authentication misconfiguration on the exact endpoint termed CVE-2021-22986.
  • The difference between the two vulnerabilities is that in the previous one, the ‘X-F5-Auth-Token’ was left blank, whereas, in the recent one, the ‘Connection’ header is set to ‘X-F5-Auth-Token’.

Information from OSINT

  • The number of potentially vulnerable servers can help us understand the impact of this vulnerability. A Censys search reveals that 2,902 active systems are found vulnerable to this CVE.
A Censys search depicting possible 2,902 vulnerable systems.


  • There are numerous POC scripts that are available for the public to consider and utilize on various open-source platforms.
  • Threat actors have started publishing exploits and discussing this vulnerability on various cybercrime forums and Telegram channels. (For more information refer to the Appendix)

Impact & Mitigation

Impact Mitigation
  • The vulnerability can lead to unauthenticated remote code execution.
  • An attacker can use this to gain an initial foothold into an organization’s infrastructure and further exploit infrastructure.
  • This vulnerability can be used by ransomware groups and operators to gain monetary benefits.
  • This can be misused by nation-state actors to exfiltrate intelligence and sensitive data, thus causing a loss of trust from stakeholders.
  • Immediately update to the patched versions as mentioned above.
  • If the patch is not feasible, Kindly follow the workarounds mentioned here, This will restrict the iControl REST access to only trusted IP addresses.



Images depicting threat actors discussing and sharing the vulnerability