A recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices were found to be exploited in the wild.
According to cybersecurity firm NCC Group, multiple exploitation attempts have been observed against their honeypot infrastructure. They assess that a public exploit is likely to be available in the public domain soon.
The attackers are trying to exploit an unauthenticated remote command execution (RCE) vulnerability tracked as CVE-2021-22986, and it affects most F5 BIG-IP and BIG-IQ software versions.
Multiple security researchers have already shared proof-of-concept exploit code after reverse-engineering the BIG-IP patch.
On successful exploitation of this bug that has a severity rating of 9.8, full system can compromise, including lateral movement to the internal network and interception of controller application traffic.
A similarly critical RCE vulnerability with a maximum 10/10 severity rating tracked as CVE-2020-5902 in F5 BIG-IP ADC appliances was also heavily exploited last year after being patched in July 2020.
It was found that Iranian-backed Pioneer Kitten hacking group started targeting enterprises with unpatched BIG-IP devices soon after the flaw was disclosed.
Their attacks lined up with an August alert issued by the FBI and warning of Iranian state hackers attempting to exploit vulnerable Big-IP ADC devices starting with early July 2020.
Security updates to patch CVE-2021-22986 and three other critical security flaws affecting the products was released and organizations are advised to patch their F5 BIG-IP devices as soon as possible to defend against future attacks.
F5 provides info on upgrading BIG-IP appliances with details on multiple upgrade scenarios. NCC Group also provides indicators of compromise, detection logic, and Suricata network rules to help admins detect and block incoming attacks.