Vulnerability

Threat Actors Are Actively Exploiting CVE-2022-1388 RCE in F5 BIG-IP

Threat actors are exploiting critical F5 BIG-IP flaw CVE-2022-1388 to deliver malicious code, cybersecurity researchers warn.

Threat actors started massively exploiting the critical remote code execution vulnerability, tracked as CVE-2022-1388, affecting F5 BIG-IP.

Last week security and application delivery solutions provider F5 released its security notification to inform customers that it has released security updates from tens of vulnerabilities in its products.

The company addressed a total of 43 vulnerabilities, the most severe one is a critical issue tracked as CVE-2022-1388 (CVSS score of 9.8). An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses can exploit the CVE-2022-1388 flaw to execute arbitrary system commands, create or delete files, or disable services.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.” reads the advisory published by the vendor.”

The flaw affects the following versions:

16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5

and the vendor addressed it with the release of:

17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5

The company provided the following temporary mitigations for customers that cannot install the patched versions:

Researchers from Positive Technologies and Horizon3 Attack Team developed their own exploit code for CVE-2022-1388 and explained that the issue is trivial to exploit.

Recommended:  Online Thesis Archiving System 1.0 - SQLi Authentication Bypass

The popular researcher Kevin Beaumont confirmed the attack the ongoing attacks, but pointed out that they are not targeting the management interface.

The researcher Germán Fernández reported that threat actors are exploiting the flaw to drop PHP webshells to “/tmp/f5.sh” and install them to “/usr/local/www/xui/common/css/.”

source

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Recommended:  Confluence servers hacked to deploy AvosLocker, Cerber2021 Ransomware
RiSec.n0tst3
Connect
Share the word, let's increase Cybersecurity Awareness as we know it

Leave a Comment

Your email address will not be published. Required fields are marked *

RiSec Captcha 72 − 71 =