← back
CVE-2021-22986

CVE-2021-22986

CVSS 9.8 CRITICALEPSS 99.9%● KEVCWE-918
In short

The iControl REST interface in F5 BIG-IP and BIG-IQ allows attackers to execute commands remotely without authentication. This means an attacker can take complete control of the affected device over the network without needing a password.

Technical detail

An unauthenticated remote attacker can execute arbitrary commands on BIG-IP and BIG-IQ devices via the iControl REST API (CWE-918: Server-Side Request Forgery). No authentication or user interaction is required; exploitation occurs by sending crafted requests to the vulnerable REST endpoint, resulting in complete system compromise.

Summary generated and translated by AI from the official description.
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · BIG-IP; BIG-IQ
public PoCs found17
githubgithub.com/Al1ex/CVE-2021-2298691githubgithub.com/dorkerdevil/CVE-2021-22986-Poc51githubgithub.com/S1xHcL/f5_rce_poc27githubgithub.com/Tas9er/CVE-2021-2298614githubgithub.com/west9b/F5-BIG-IP-POC10githubgithub.com/yaunsky/CVE-202122986-EXP8githubgithub.com/safesword/F5_RCE4githubgithub.com/ZephrFish/CVE-2021-22986_Check3githubgithub.com/kiri-48/CVE-2021-229860githubgithub.com/Osyanina/westone-CVE-2021-22986-scanner0githubgithub.com/microvorld/CVE-2021-229860githubgithub.com/huydung26/CVE-2021-229860githubgithub.com/dotslashed/CVE-2021-229860githubgithub.com/amitlttwo/CVE-2021-229860exploitdbwww.exploit-db.com/exploits/49738unverifiedcve_referencepacketstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.htmlhttps://support.f5.com/csp/article/K03009991https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22986