November 20, 2022
F5 BIG-IP & BIG-IQ High-Severity RCE Vulnerabilities
F5 has released an advisory regarding 2 High-Severity vulnerabilities affecting BIG-IP and BIG-IQ devices.
successful exploitation of these vulnerabilities may lead to remote code execution (RCE) and device takeover.
- CVE-2022-41622 (CVSS 3.1: 8.8, High-severity) – A cross-site request forgery (CSRF) vulnerability through iControl SOAP, may allow to an unauthenticated attacker to perform remote code execution.
- CVE-2022-41800 (CVSS 3.1: 8.7, High-severity) – An iControl REST vulnerability, successful exploitation may allow an authenticated user with an Administrator role to bypass Appliance mode restrictions.
- BIG-IP versions 13.x, 14.x, 15.x, 16.x and 17.x.
- BIG-IQ Centralized Management versions 7.x and 8.x.
Since there are no patched versions, CYREBRO strongly recommends using the temporary workarounds listed in the official F5 advisory’s “Mitigation” section.
References: F5 Advisory