CVE-2021-22986

critical

Description

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

From the Tenable Blog

CVE-2021-22986: F5 Patches Several Critical Vulnerabilities in BIG-IP, BIG-IQ
CVE-2021-22986: F5 Patches Several Critical Vulnerabilities in BIG-IP, BIG-IQ

Published: 2021-03-11

F5 releases patches for multiple vulnerabilities in BIG-IP and BIG-IQ, including a critical remote command execution flaw that does not require authentication and is likely to attract exploits in the near future.

References

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a

https://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-lockbit

https://www.tenable.com/cyber-exposure/a-look-inside-the-ransomware-ecosystem

https://www.tenable.com/blog/cve-2022-1388-authentication-bypass-in-f5-big-ip

https://www.tenable.com/cyber-exposure/2021-threat-landscape-retrospective

https://web.archive.org/web/20211025233339/https://twitter.com/pancak3lullz/status/1452679527197560837

https://www.tenable.com/blog/cve-2021-22986-f5-patches-several-critical-vulnerabilities-in-big-ip-big-iq

https://support.f5.com/csp/article/K03009991

http://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.html

http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html

Details

Source: Mitre, NVD

Published: 2021-03-31

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical