BIG-IP iControl REST vulnerability offers root commands

This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.

Security Advisory Status

F5 Product Development has assigned IDs 1033837, 1051561, and 1052837 (BIG-IP) to this vulnerability. This issue has been classified as CWE-306: Missing Authentication for Critical Function.

Source: BIG-IP iControl REST vulnerability CVE-2022-1388

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft