Security researchers are warning of mass scans and active exploits of a Critical vulnerability on F5 BIG-IP and BIG-IQ infrastructure. F5 patched the Critical remote code execution vulnerability CVE-2021-22986 nearly two weeks ago when the networking company confirmed an unauthenticated attacker could exploit the vulnerability in the iControl REST interface to execute arbitrary system commands, create or delete files, and disable services.
Security firm NCC Group spotted exploitation attempts against the F5 BIG-IP/BIG-IQ iControl REST API vulnerability CVE-2021-22986 this past week. Moreover, the security team also observed a “full chain exploitation” from two IPs: 67.216.209[.]142 and 68.183.179[.]130 as recently as March 19.
As revealed in a blog post, Rich Warren and Sander Laarhoven of NCC Group observed multiple exploitation attempts against their honeypot infrastructure.
“This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon,” NCC group explained.
Since the patch was released, researchers posted multiple Proof of Concepts (PoCs), to include a new variant posted to Twitter as recently as March 20 that doesn’t require SSRF.
Furthermore, Bad Packets also tweeted out a warning of “mass scanning activity detected” looking for vulnerable F5 infrastructure:
Other F5 vulnerabilities
- CVE-2021-22987: Appliance Mode TMUI authenticated remote command execution vulnerability (CVSS score: 9.9)
- CVE-2021-22991: TMM buffer-overflow vulnerability (CVSS score: 9.0)
- CVE-2021-22992: Advanced WAF/ASM buffer-overflow vulnerability (CVSS score: 9.0).
- F5 patches 4 Critical vulnerabilities
- F5 patches Critical RCE vulnerability (CVE-2020-5902) in BIG-IP configuration utility
- APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations
- Chinese threat actors targeting U.S. government agencies and these 4 CVEs