article featured image


Hackers have begun deploying malicious payloads by means of a critical vulnerability identified as CVE-2022-1388, which has an impact on numerous versions of all F5 BIG-IP modules.

F5 issued patches for the BIG-IP iControl REST authentication component security problem (9.8 severity level) last week.

Exploiting the mentioned vulnerability, an unauthenticated threat actor would be able to perform a series of malicious actions on the BIG-IP:

This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.


Thousands of BIG-IP systems are currently accessible on the internet, allowing attackers to remotely exploit the vulnerability and enter the corporate network.

Several security experts have stated recently that they had developed working exploits and advised administrators to upgrade their systems immediately.

Because the attacks just require two commands and certain headers transmitted to an unpatched ‘bash’ endpoint accessible to the internet, the exploits have recently become publicly available.

According to the BleepingComputer publication, the proof-of-exploit code for CVE-2022-1388 is already circulating on Twitter, with indications that it is being used in the wild to drop webshells for extended backdoor access.

Threat Actors Dropping Webshells

Threat actors were dropping PHP webshells to “/tmp/f5.sh” and installed them to “/usr/local/www/xui/common/css/,” according to Cronup security researcher Germán Fernández.

When the installation is complete, the payload would be executed and then taken out from the system.

Kevin Beaumont has also noticed exploitation efforts. However, these attacks’ target was not the management interface.

On the other hand, other researchers claim they’ve noticed exploitation attempts of the management interface through CVE-2022-1388.

Because the vulnerability is so simple to be abused, several security researchers suspect it was not included in the products by mistake, especially considering the name of the vulnerable endpoint (“bash”), a prominent Linux shell.

According to Jake Williams, executive director of cyber threat intelligence at Scythe, the issue could have been caused by a development error.

Will Dormann, a vulnerability analyst at the CERT/CC, feels the same way, believing that it could become a much greater problem otherwise.

Recommended Mitigation Measures

Because the vulnerability has already been broadly distributed, administrators should immediately deploy available patches, disable access to the administration interface over the public internet, or use F5’s mitigations until updates are ready to be deployed. The mitigations provided by F5 are the following:

How Can Heimdal™ Help?

Patch management is a core aspect of any vulnerability management strategy. Choose Heimdal Patch & Asset Management and benefit from:

  • the shortest vendor-to-end-user waiting time: have your patch ready to be installed in less than 4 hours from the release;
  • a broad range of patches from Microsoft and Linux OS to third-party and proprietary patches;
  • a variety of effective functionalities like on-demand updates or advanced scheduling.

BOOK a DEMO and see for yourself!

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo