The iControl API in F5 BIG-IP LTM, APM, ASM, GTM, Link Controller, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, BIG-IP AAM 11.4.0 through 11.5.1, BIG-IP AFM and PEM 11.3.0 through 11.5.1, BIG-IP Analytics 11.0.0 through 11.5.1, BIG-IP Edge Gateway, WebAccelerator, WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, Enterprise Manager 2.1.0 through 2.3.0 and 3.0.0 through 3.1.1, and BIG-IQ Cloud, Device, and Security 4.0.0 through 4.3.0 allows remote administrators to execute arbitrary commands via shell metacharacters in the hostname element in a SOAP request.
Published 2014-05-12 14:55:07
Updated 2015-11-20 16:24:43
Source CERT/CC
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2014-2928

62.37%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2014-2928

  • F5 iControl Remote Root Command Execution
    Disclosure Date: 2013-09-17
    First seen: 2020-04-26
    exploit/linux/http/f5_icontrol_exec
    This module exploits an authenticated remote command execution vulnerability in the F5 BIGIP iControl API (and likely other F5 devices). Authors: - bperry

CVSS scores for CVE-2014-2928

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.1
HIGH AV:N/AC:H/Au:S/C:C/I:C/A:C
3.9
10.0
NIST

References for CVE-2014-2928

Products affected by CVE-2014-2928

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!