Cyber Resilience

CVE-2021-22991

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 31 March 2021

Published
31 March 2021
Modified
27 October 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7309 98.8th percentile
Risk Priority 83 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22991 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2021-22991 is a buffer overflow vulnerability in F5 BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3. The flaw resides in the Traffic Management Microkernel (TMM) handling of URI normalization for requests sent to virtual servers and is tracked under CWE-119. It carries a CVSS v3.1 score of 9.8.

An unauthenticated remote attacker can send specially crafted requests to an affected virtual server. Successful exploitation produces a denial of service; under certain conditions the same flaw may permit bypass of URL-based access controls or remote code execution.

F5 addresses the issue in knowledge article K56715231, which supplies the fixed software versions and recommended remediation steps. The vulnerability appears in CISA’s catalog of known exploited vulnerabilities.

The high severity and confirmed in-the-wild exploitation underscore the need for prompt patching of exposed BIG-IP deployments.

EU & UK References

Vulnerability details

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger…

more

a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

f5
big-ip access policy manager
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip advanced firewall manager
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip advanced web application firewall
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip analytics
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip application acceleration manager
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip application security manager
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip ddos hybrid defender
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip domain name system
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip fraud protection service
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
f5
big-ip global traffic manager
12.1.0 — 12.1.5.3 · 13.1.0 — 13.1.3.6 · 14.1.0 — 14.1.4
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that eliminate the TMM URI-normalization buffer overflow.

prevent

Mandates validation of externally supplied data (URIs) before processing, blocking the malformed requests that trigger the overflow.

prevent

Enforces boundary filtering and inspection of traffic destined to virtual servers, limiting exposure to unauthenticated crafted requests.

References