Critical F5 BIG-IP flaw now targeted in active attacks


A recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices were found to be exploited in the wild.

According to cybersecurity firm NCC Group, multiple exploitation attempts have been observed against their honeypot infrastructure. They assess that a public exploit is likely to be available in the public domain soon.

The attackers are trying to exploit an unauthenticated remote command execution (RCE) vulnerability tracked as CVE-2021-22986, and it affects most F5 BIG-IP and BIG-IQ software versions.

Multiple security researchers have already shared proof-of-concept exploit code after reverse-engineering the BIG-IP patch.

On successful exploitation of this bug that has a severity rating of 9.8, full system can compromise, including lateral movement to the internal network and interception of controller application traffic.

A similarly critical RCE vulnerability with a maximum 10/10 severity rating tracked as CVE-2020-5902 in F5 BIG-IP ADC appliances was also heavily exploited last year after being patched in July 2020.

It was found that Iranian-backed Pioneer Kitten hacking group started targeting enterprises with unpatched BIG-IP devices soon after the flaw was disclosed.

Their attacks lined up with an August alert issued by the FBI and warning of Iranian state hackers attempting to exploit vulnerable Big-IP ADC devices starting with early July 2020.

Security updates to patch CVE-2021-22986 and three other critical security flaws affecting the products was released and organizations are advised to patch their F5 BIG-IP devices as soon as possible to defend against future attacks.

F5 provides info on upgrading BIG-IP appliances with details on multiple upgrade scenarios. NCC Group also provides indicators of compromise, detection logic, and Suricata network rules to help admins detect and block incoming attacks.


Please enter your comment!
Please enter your name here