Cyber Resilience

CVE-2021-22986

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 31 March 2021

Published
31 March 2021
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9448 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22986 is a critical-severity SSRF (CWE-918) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

The vulnerability is an unauthenticated remote command execution flaw in the iControl REST interface of F5 BIG-IP and BIG-IQ products. It affects BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, as well as BIG-IQ versions 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2. The issue is tracked as CWE-918 and carries a CVSS score of 9.8.

An unauthenticated attacker with network access can exploit the flaw to perform server-side request forgery leading to arbitrary command execution on the affected device. Successful exploitation grants the ability to read, modify, or delete data and fully compromise the confidentiality, integrity, and availability of the system.

F5 has published mitigation guidance and fixed releases in security advisory K03009991, which directs administrators to apply the listed patches or upgrades. Public exploit code demonstrating both the SSRF vector and remote code execution has been released via PacketStorm, confirming the issue is readily weaponizable in exposed environments.

EU & UK References

Vulnerability details

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note:…

more

Software versions which have reached End of Software Development (EoSD) are not evaluated.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

f5
big-ip access policy manager
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip advanced firewall manager
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip advanced web application firewall
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip analytics
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip application acceleration manager
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip application security manager
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip ddos hybrid defender
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip domain name system
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip fraud protection service
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip global traffic manager
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and authorization checks on the iControl REST interface, directly blocking the unauthenticated RCE path.

prevent

Requires identification and authentication of users before allowing access to the management REST interface.

prevent

Mandates timely application of vendor patches that close the unauthenticated SSRF-to-RCE flaw.

References