F5 BIG-IP iControl REST Authentication Bypass (CVE-2022-1388) for 2026-02-18

Last Updated: 16:45 UTC

CVE-2022-1388 is an authentication bypass (CVSS 9.8) in the F5 BIG-IP iControl REST API (/mgmt/tm/) that allows unauthenticated command execution on the management plane. Mass exploitation began within days of public disclosure, deploying webshells and cryptocurrency miners.

CVE References

CVE-2022-1388

MITRE ATT&CK

Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application

Observed URIs

• /mgmt/tm/util/bash

Attackers by Country

IP Address : ASN : City/Provider

• 103.164.191.36 : AS17995 pt iforte global internet : Indonesia

• 191.232.38.25 : AS8075 microsoft corporation : Campinas

• 45.197.132.71 : AS139076 enjoyvc japan corporation : Johannesburg

• 45.61.184.118 : AS53667 frantech solutions : United States of America

• 45.61.186.32 : AS53667 frantech solutions : United States of America