On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Published 2022-05-05 17:15:11
Updated 2023-11-02 01:54:15
Source F5 Networks
View at NVD,   CVE.org

Products affected by CVE-2022-1388

CVE-2022-1388 is in the CISA Known Exploited Vulnerabilities Catalog

This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
F5 BIG-IP Missing Authentication Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2022-1388
Added on 2022-05-10 Action due date 2022-05-31

Exploit prediction scoring system (EPSS) score for CVE-2022-1388

97.48%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2022-1388

  • F5 BIG-IP iControl RCE via REST Authentication Bypass
    Disclosure Date: 2022-05-04
    First seen: 2022-12-23
    exploit/linux/http/f5_icontrol_rce
    This module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results

CVSS scores for CVE-2022-1388

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.5
HIGH AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
NIST
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
F5 Networks
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST

CWE ids for CVE-2022-1388

  • The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
    Assigned by:
    • f5sirt@f5.com (Primary)
    • nvd@nist.gov (Secondary)

References for CVE-2022-1388

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!