Attackers are attempting to exploit critical F5 BIG-IP RCE

Researchers have developed PoC exploits for CVE-2022-1388, a critical remote code execution bug affecting F5 BIG-IP multi-purpose networking devices/modules. Simultaneously, in-the-wild exploitation attempts have also been detected.

CVE-2022-1388 PoC exploits

Security researchers have started sharing evidence of their successful exploitation attempts of CVE-2022-1388 during the weekend:

The Attack Team announced they will be releasing the PoC this week.

Researcher Kevin Beaumont has also spotted exploitation attemps:

Fix or mitigate exploitation risk

CVE-2022-1388 is a flaw that can be exploited by unauthenticated attackers remotely to take over vulnerable BIG-IP devices and use that access to execute system commands, create or delete files, or disable services.

The vulnerability was patched last week by F5, along with many other less critical flaws. The company warned that it could be exploited through the devices’ management port and/or self IP addresses, and urged administrators to update their BIG-IP installations to a version delivering the fix (17.0.0,,, or 13.1.5) or implement the proposed mitigations to protect affected devices/modules:

  • Blocking iControl REST access through the self IP address
  • Blocking iControl REST access through the management interface
  • Modifying the BIG-IP httpd configuration

Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, says that he usually recommends patching first and later attending to the configuration issues but that, in this case, users should swap the order of those two steps.

“First, make sure you are not exposing the admin interface. If you can’t manage that: Don’t try patching. Turn off the device instead. If the configuration interface is safe: Patch,” he advised.

UPDATE (May 9, 2022, 12:20 p.m. ET):

As attackers are exploiting the flaw and dropping webshells, the Attack Team has decided to release their PoC.

The Randori Attack Team has also developed a working exploit, and has released a detailed vulnerability analysis and a one-line bash script that defenders can use to determine if their BIG-IP instances are still exploitable after deploying the patches.

UPDATE (May 19, 2022, 06:00 a.m. ET):

CISA’s security alert contains Snort and Suricata signatures administrators can use to determine whether their systems have been compromised.

Don't miss