Unauthenticated attackers could exploit a Critical BIG-IP iControl REST vulnerability CVE-2022-1388 to execute arbitrary system commands, create or delete files, or disable services on BIG-IP systems.
F5’s BIG-IP is a family of software and hardware products designed for availability, access control, and security solutions.
According to F5, undisclosed requests may bypass iControl REST authentication CVE-2022-1388 (CVSS 9.8).
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services., F5 warned in the security advisory.
Moreover, F5 added the issue impacts the control plane only, not the data plane.
In an article posted by Threatpost, researcher Jacob Baines revealed thousands of BIG-IP systems appeared to be exposed on the internet, as recently as May 5, 2022:
Network administrators are encouraged to apply the necessary updates as soon as possible to address the vulnerability.