F5 Networks recently released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, but their adversaries have begun to mass scan and target exposed and unpatched networking devices.

This in the wild exploitation happened after a proof-of-concept exploits code surfaced online earlier this week by reverse-engineering the Java software patch in BIG-IP, and since then the mass scans have spiked. 

The flaws are affecting BIG-IP versions 11.6 or 12.x and newer, having a critical remote code execution (CVE-2021-22986) that is also impacting BIG-IQ versions 6.x and 7.x. CVE-2021-22986 (CVSS score: 9.8). 

It seems that the successful exploitation of these vulnerabilities could lead to a fully compromised system, with the possibility of remote code execution as well as trigger a buffer overflow, all of this leading to a DoS attack.

On March 10, F5 said it wasn’t aware of any public exploitation, but researchers from NCC Group have now found evidence of “full chain exploitation of F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986”, and also the researchers from Palo Alto Networks’ Unit 42 declared to had identified attempts to exploit CVE-2021-22986 and install the Mirai botnet. 

Given the popularity of BIG-IP/BIG-IQ in corporate and government networks, it should come as no surprise that this is the second time in a year F5 appliances have become a lucrative target for exploitation.

It’s not the first time when F5 had to address another critical flaw (CVE-2020-5902), that was abused by Iranian and Chinese state-sponsored hacking groups.

The bottom line is that [the flaws] affect all BIG-IP and BIG-IQ customers and instances — we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible 


For the time being it’s not clear if the CVEs exploits were successful, as researchers are still investigating this matter. 

F5 Announces Critical BIG-IP pre-auth RCE bug

How Automation is Changing Cyber Crime: Exploits as a Service

Leave a Reply

Your email address will not be published. Required fields are marked *