CVE-2021-22986
Published: 31 March 2021
Summary
CVE-2021-22986 is a critical-severity SSRF (CWE-918) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
The vulnerability is an unauthenticated remote command execution flaw in the iControl REST interface of F5 BIG-IP and BIG-IQ products. It affects BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, as well as BIG-IQ versions 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2. The issue is tracked as CWE-918 and carries a CVSS score of 9.8.
An unauthenticated attacker with network access can exploit the flaw to perform server-side request forgery leading to arbitrary command execution on the affected device. Successful exploitation grants the ability to read, modify, or delete data and fully compromise the confidentiality, integrity, and availability of the system.
F5 has published mitigation guidance and fixed releases in security advisory K03009991, which directs administrators to apply the listed patches or upgrades. Public exploit code demonstrating both the SSRF vector and remote code execution has been released via PacketStorm, confirming the issue is readily weaponizable in exposed environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-10104
Vulnerability details
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note:…
more
Software versions which have reached End of Software Development (EoSD) are not evaluated.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authentication and authorization checks on the iControl REST interface, directly blocking the unauthenticated RCE path.
Requires identification and authentication of users before allowing access to the management REST interface.
Mandates timely application of vendor patches that close the unauthenticated SSRF-to-RCE flaw.