CVE-2022-1388 : BIG-IP iControl REST vulnerability
by CIRT Team
CVE-2022-1388: On F5 BIG-IP 16.1.x versions prior to 188.8.131.52, 15.1.x versions prior to 184.108.40.206, 14.1.x versions prior to 220.127.116.11, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication.
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services.
CVSS v3.1 Base Score: 9.8 CRITICAL
Mitigation: Updates are available. Please see the references or vendor advisory for more information.