Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2022-1388

F5 BIG-IP iControl REST Authentication Bypass

An authentication-bypass vulnerability in the F5 BIG-IP iControl REST API allows an unauthenticated attacker with network access to the management interface or self-IP addresses to execute arbitrary system commands, create or delete files, or disable services.

cat cve-2022-1388.json
Vendor
F5
Product
BIG-IP
CVSS
9.8
Status
kev
Published

CVE-2022-1388 is a maximum-severity authentication-bypass vulnerability in F5 BIG-IP’s iControl REST API, disclosed May 4, 2022. By sending specially crafted HTTP requests, an unauthenticated attacker with network access to the management port or a self-IP address could bypass iControl REST authentication entirely and execute arbitrary system commands with full administrative effect — creating or deleting files, disabling services, or fully taking over the device.

Why it mattered

BIG-IP appliances sit at the application-delivery layer for large enterprises and service providers, load-balancing and terminating traffic for the applications behind them — a compromise of the appliance itself threatens everything it fronts. Within days of F5’s advisory, security researchers published working proof-of-concept exploit code, and mass scanning for vulnerable, internet-exposed BIG-IP management interfaces began almost immediately, with confirmed exploitation reported within roughly a week of disclosure.

F5’s guidance was unambiguous: patch immediately, and in the meantime restrict access to the management interface and self-IP addresses to trusted networks only — a configuration many administrators had not enforced. CISA added the CVE to its KEV catalog with an expedited deadline. Full technical detail and patch availability are in F5’s security advisory and at the NVD link above.