Comment on Vulnerabilities in F5 BIG-IP and BIG-IQ from Tenable
F5 announced multiple CVEs impacting BIG-IP and BIG-IQ devices. Four of the vulnerabilities are critical, whereby an attacker could exploit these to take control of an affected system
“F5 recently addressed several vulnerabilities in its BIG-IP and BIG-IQ, of which four were rated critical. The most severe of these critical vulnerabilities is CVE-2021-22986, an unauthenticated remote command execution flaw in the iControl REST interface. It received a CVSSv3 score of 9.8 out of 10, making it one of the most severe flaws patched today. Successful exploitation of this flaw could lead to full system compromise.
As we saw last summer when F5 patched CVE-2020-5902, another critical vulnerability in BIG-IP, attackers quickly latch onto such flaws and begin scanning for and targeting vulnerable F5 devices that are publicly accessible. We expect history to repeat itself for CVE-2021-22986 in the coming days and weeks, especially once a proof-of-concept becomes publicly available. It’s imperative for organizations to update to a patched version immediately.” – Satnam Narang, Staff Research Engineer, Tenable.