← back
CVE-2022-1388

CVE-2022-1388

CVSS 9.8 CRITICALEPSS 100.0%● KEVCWE-306
In short

F5 BIG-IP devices with certain software versions allow attackers to bypass authentication on the iControl REST API, granting unauthorized access to critical system management functions without valid credentials.

Technical detail

CWE-306 (Missing Authentication Check): Unauthenticated requests to iControl REST on vulnerable BIG-IP versions bypass authentication mechanisms, allowing remote attackers to directly access administrative functions. Affected versions include 16.1.x (<16.1.2.2), 15.1.x (<15.1.5.1), 14.1.x (<14.1.4.6), 13.1.x (<13.1.5), and all 12.1.x and 11.6.x versions. Impact includes full device compromise and configuration manipulation.

Summary generated and translated by AI from the official description.
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
F5 · BIG-IP
public PoCs found69
githubgithub.com/horizon3ai/CVE-2022-1388230githubgithub.com/doocop/CVE-2022-1388-EXP93githubgithub.com/alt3kx/CVE-2022-1388_PoC87githubgithub.com/0xf4n9x/CVE-2022-138883githubgithub.com/ZephrFish/F5-CVE-2022-1388-Exploit59githubgithub.com/sherlocksecurity/CVE-2022-1388-Exploit-POC58githubgithub.com/numanturle/CVE-2022-138853githubgithub.com/Al1ex/CVE-2022-138837githubgithub.com/MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed28githubgithub.com/jheeree/CVE-2022-1388-checker25githubgithub.com/PsychoSec2/CVE-2022-1388-POC14githubgithub.com/justakazh/CVE-2022-138813githubgithub.com/Zeyad-Azima/CVE-2022-138812githubgithub.com/west9b/F5-BIG-IP-POC10githubgithub.com/Henry4E36/CVE-2022-13888githubgithub.com/qusaialhaddad/F5-BigIP-CVE-2022-13887githubgithub.com/vaelwolf/CVE-2022-13887githubgithub.com/blind-intruder/CVE-2022-1388-RCE-checker-and-POC-Exploit7githubgithub.com/gotr00t0day/CVE-2022-13887githubgithub.com/MrCl0wnLab/Nuclei-Template-Exploit-F5-BIG-IP-iControl-REST-Auth-Bypass-RCE-Command-Parameter6githubgithub.com/0x7eTeam/CVE-2022-1388-PocExp6githubgithub.com/Vulnmachines/F5-Big-IP-CVE-2022-13886githubgithub.com/Angus-Team/F5-BIG-IP-RCE-CVE-2022-13885githubgithub.com/Stonzyy/Exploit-F5-CVE-2022-13885githubgithub.com/AmirHoseinTangsiriNET/CVE-2022-1388-Scanner5githubgithub.com/bandit92/CVE2022-1388_TestAPI4githubgithub.com/revanmalang/CVE-2022-13883githubgithub.com/nvk0x/CVE-2022-1388-exploit3githubgithub.com/aancw/CVE-2022-1388-rs2githubgithub.com/SecTheBit/CVE-2022-13882githubgithub.com/savior-only/CVE-2022-13882githubgithub.com/saucer-man/CVE-2022-13882githubgithub.com/superzerosec/CVE-2022-13882githubgithub.com/EvilLizard666/CVE-2022-13882githubgithub.com/devengpk/CVE-2022-13882githubgithub.com/chesterblue/CVE-2022-13881githubgithub.com/LinJacck/CVE-2022-1388-EXP1githubgithub.com/iveresk/cve-2022-1388-1veresk1githubgithub.com/shamo0/CVE-2022-13881githubgithub.com/vesperp/CVE-2022-1388-F5-BIG-IP1githubgithub.com/thatonesecguy/CVE-2022-1388-Exploit1githubgithub.com/0xAgun/CVE-2022-13881githubgithub.com/yukar1z0e/CVE-2022-13881githubgithub.com/iveresk/cve-2022-1388-iveresk-command-shell1githubgithub.com/Chocapikk/CVE-2022-13881githubgithub.com/Luchoane/CVE-2022-1388_refresh1githubgithub.com/ThinkingOffensively/CVE-2022-13881githubgithub.com/amitlttwo/CVE-2022-13881githubgithub.com/j-baines/tippa-my-tongue1githubgithub.com/nico989/CVE-2022-13881githubgithub.com/pauloink/CVE-2022-13880githubgithub.com/Osyanina/westone-CVE-2022-1388-scanner0githubgithub.com/sashka3076/F5-BIG-IP-exploit0githubgithub.com/li8u99/CVE-2022-13880githubgithub.com/jbharucha05/CVE-2022-13880githubgithub.com/omnigodz/CVE-2022-13880githubgithub.com/impost0r/CVE-2022-13880githubgithub.com/M4fiaB0y/CVE-2022-13880githubgithub.com/mr-vill4in/CVE-2022-13880githubgithub.com/On-Cyber-War/CVE-2022-13880githubgithub.com/r0otk3r/CVE-2022-13880githubgithub.com/SudeepaShiranthaka/F5-BIG-IP-Remote-Code-Execution-Vulnerability-CVE-2022-1388-A-Case-Study0githubgithub.com/Hudi233/CVE-2022-13880githubgithub.com/battleofthebots/refresh0githubgithub.com/Wrin9/CVE-2022-13880exploitdbwww.exploit-db.com/exploits/50932unverifiedcve_referencepacketstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/167118/F5-BIG-IP-16.0.x-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/167150/F5-BIG-IP-iControl-Remote-Code-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/167118/F5-BIG-IP-16.0.x-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/167150/F5-BIG-IP-iControl-Remote-Code-Execution.htmlhttps://support.f5.com/csp/article/K23605346https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-1388https://www.secpod.com/blog/critical-f5-big-ip-remote-code-execution-vulnerability-patch-now/