F5 BIG-IP iControl REST Authentication Bypass (CVE-2022-1388) for 2026-03-02

Mar 02, 2026 WebExploit

Last Updated: 12:16 UTC

CVE-2022-1388 is an authentication bypass (CVSS 9.8) in the F5 BIG-IP iControl REST API (/mgmt/tm/) that allows unauthenticated command execution on the management plane. Mass exploitation began within days of public disclosure, deploying webshells and cryptocurrency miners.

CVE References

CVE-2022-1388

MITRE ATT&CK

Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application

Observed URIs

/mgmt/tm/util/bash
/mgmt/tm/auth/user/5SfqG
/mgmt/tm/sys/management-ip

Attackers by Country

IP Address : ASN : City/Provider

198.167.197.162 : AS39287 ab stract : Sweden

Share on: