May 8, 2022 

F5 Patches Critical BIG-IP Device Takeover Vulnerability

 F5 has patched a critical vulnerability affecting BIG-IP devices that may lead to device takeover. 

 The Vulnerability

• CVE-2022-1388 (CVSS 3.1: 9.8, Critical) – Undisclosed requests may bypass iControl REST authentication. This may result in remote code execution and modification of files and services. 

Affected Products

• BIG-IP (all modules) versions:  

• Prior to 17.0.0. 
• Prior to 16.1.2.2. 
• Prior to 15.1.5.1. 
• Prior to 14.1.4.6. 
• Prior to 13.1.5. 

• 12.1.0 – 12.1.6 (no fix available). 
• 11.6.1 – 11.6.5 (no fix available). 

Mitigation

CYREBRO recommends updating relevant products, in accordance with the official F5 advisory. 

Workaround

If mitigation is currently not an option, apply the temporary workarounds mentioned in the official F5 advisory, under the ‘Mitigation’ section. 

References: F5 Advisory.