November 20, 2022

F5 BIG-IP & BIG-IQ High-Severity RCE Vulnerabilities

F5 has released an advisory regarding 2 High-Severity vulnerabilities affecting BIG-IP and BIG-IQ devices.

successful exploitation of these vulnerabilities may lead to remote code execution (RCE) and device takeover.

The Vulnerabilities

• CVE-2022-41622 (CVSS 3.1: 8.8, High-severity) – A cross-site request forgery (CSRF) vulnerability through iControl SOAP, may allow to an unauthenticated attacker to perform remote code execution.
• CVE-2022-41800 (CVSS 3.1: 8.7, High-severity) – An iControl REST vulnerability, successful exploitation may allow an authenticated user with an Administrator role to bypass Appliance mode restrictions.

Affected Products

• BIG-IP versions 13.x, 14.x, 15.x, 16.x and 17.x.
• BIG-IQ Centralized Management versions 7.x and 8.x.

Workaround

Since there are no patched versions, CYREBRO strongly recommends using the temporary workarounds listed in the official F5 advisory’s “Mitigation” section.

References: F5 Advisory