F5 BIG-IP iControl REST Authentication Bypass (CVE-2022-1388) for 2022-05-17

Last Updated: 12:00 UTC

CVE-2022-1388 is an authentication bypass (CVSS 9.8) in the F5 BIG-IP iControl REST API (/mgmt/tm/) that allows unauthenticated command execution on the management plane. Mass exploitation began within days of public disclosure, deploying webshells and cryptocurrency miners.

CVE References

CVE-2022-1388

MITRE ATT&CK

Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application

Observed URIs

• /mgmt/tm/util/bash

Attackers by Country

IP Address : ASN : City/Provider

• 45.197.132.71 : AS139076 enjoyvc japan corporation : Johannesburg