Threat actors are attempting to exploit CVE-2021-22986 in F5 BIG-IP devices in the wild

Pierluigi Paganini March 19, 2021

Cybersecurity experts warn of ongoing attacks aimed at exploiting a recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices.

Cybersecurity experts from NCC Group and Bad Packets security firm this week detected a wave of attacks exploiting a recently patched critical vulnerability, tracked as CVE-2021-22986, in F5 BIG-IP and BIG-IQ networking devices.

“After seeing lots of broken exploits and failed attempts, we are now seeing successful in the wild exploitation of this vulnerability, as of this morning” said Rich Warren, red team expert at NCC Group.

F5 BIG-IP attacks

In early March, the security vendor has released security updates for seven vulnerabilities in BIG-IP products, four have been rated as critical severity, two other issues have been rated high and one medium severity.

CVE-2021-22986 is an unauthenticated remote command execution vulnerability that resides in the iControl REST interface. The flaw received a CVSS score of 9.8 and affects BIG-IP and BIG-IQ.

The vulnerability could be exploited by unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.

“We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible.” reads the advisory published by F5.

The attacks started shortly after some security researchers have already released proof-of-concept exploit code for the above vulnerability.

NCC Group released indicators of compromise for the above attacks, along with detection logic, and Suricata network rules.

“In the week that followed, several researchers posted proof-of-concept code after reverse engineering the Java software patch in BIG-IP.” reads the post published by NCC Group.

“Starting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure. This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon.”


Researchers at Palo Alto Networks are also observing a Mirai variant from attempting to exploit the CVE-2021-22986 and CVE-2020-28188.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, F5 BIG-IP)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment