Cyber Resilience

CVE-2022-1388

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 05 May 2022

Published
05 May 2022
Modified
27 October 2025
KEV Added
10 May 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9446 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1388 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2022-1388 is an authentication bypass vulnerability affecting the iControl REST interface on F5 BIG-IP appliances. It impacts versions 16.1.x prior to 16.1.2.2, 15.1.x prior to 15.1.5.1, 14.1.x prior to 14.1.4.6, 13.1.x prior to 13.1.5, and all releases in the 12.1.x and 11.6.x branches; versions that have reached end of technical support are excluded from evaluation. The flaw is tracked as CWE-306 and carries a CVSS 3.1 base score of 9.8.

Unauthenticated attackers with network access can send specially crafted requests that evade iControl REST authentication checks. Successful exploitation grants the ability to execute arbitrary commands, read or modify configuration data, and fully compromise the affected device, consistent with the critical severity rating and multiple public remote-code-execution proof-of-concept releases.

F5’s advisory K23605346 directs customers to upgrade to the fixed releases listed above and, where patching is not immediately feasible, to restrict management access or disable iControl REST. Additional guidance from vendors and researchers emphasizes applying the updates promptly and monitoring for indicators of the bypass technique.

The vulnerability’s EPSS score has remained at a persistently high level, with a recorded peak of 0.9752 and a current value of 0.9446, indicating sustained exploitation interest since disclosure. Public exploit code targeting multiple BIG-IP branches has been circulating since shortly after publication.

EU & UK References

Vulnerability details

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which…

more

have reached End of Technical Support (EoTS) are not evaluated

CWE(s)
KEV Date Added
10 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

f5
big-ip access policy manager
11.6.1 — 11.6.5 · 12.1.0 — 12.1.6 · 13.1.0 — 13.1.5
f5
big-ip advanced firewall manager
11.6.1 — 11.6.5 · 12.1.0 — 12.1.6 · 13.1.0 — 13.1.5
f5
big-ip analytics
11.6.1 — 11.6.5 · 12.1.0 — 12.1.6 · 13.1.0 — 13.1.5
f5
big-ip application acceleration manager
11.6.1 — 11.6.5 · 12.1.0 — 12.1.6 · 13.1.0 — 13.1.5
f5
big-ip application security manager
11.6.1 — 11.6.5 · 12.1.0 — 12.1.6 · 13.1.0 — 13.1.5
f5
big-ip domain name system
11.6.1 — 11.6.5 · 12.1.0 — 12.1.6 · 13.1.0 — 13.1.5
f5
big-ip fraud protection service
11.6.1 — 11.6.5 · 12.1.0 — 12.1.6 · 13.1.0 — 13.1.5
f5
big-ip global traffic manager
11.6.1 — 11.6.5 · 12.1.0 — 12.1.6 · 13.1.0 — 13.1.5
f5
big-ip link controller
11.6.1 — 11.6.5 · 12.1.0 — 12.1.6 · 13.1.0 — 13.1.5
f5
big-ip local traffic manager
11.6.1 — 11.6.5 · 12.1.0 — 12.1.6 · 13.1.0 — 13.1.5
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations (including authentication) before allowing access to iControl REST functions, blocking the bypass.

prevent

Requires identification and authentication of organizational users prior to granting access to the management interface that the flaw exposes.

prevent

Mandates timely application of vendor patches that close the authentication-bypass flaw in the listed BIG-IP versions.

References