CVE-2022-1388
Published: 05 May 2022
Summary
CVE-2022-1388 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2022-1388 is an authentication bypass vulnerability affecting the iControl REST interface on F5 BIG-IP appliances. It impacts versions 16.1.x prior to 16.1.2.2, 15.1.x prior to 15.1.5.1, 14.1.x prior to 14.1.4.6, 13.1.x prior to 13.1.5, and all releases in the 12.1.x and 11.6.x branches; versions that have reached end of technical support are excluded from evaluation. The flaw is tracked as CWE-306 and carries a CVSS 3.1 base score of 9.8.
Unauthenticated attackers with network access can send specially crafted requests that evade iControl REST authentication checks. Successful exploitation grants the ability to execute arbitrary commands, read or modify configuration data, and fully compromise the affected device, consistent with the critical severity rating and multiple public remote-code-execution proof-of-concept releases.
F5’s advisory K23605346 directs customers to upgrade to the fixed releases listed above and, where patching is not immediately feasible, to restrict management access or disable iControl REST. Additional guidance from vendors and researchers emphasizes applying the updates promptly and monitoring for indicators of the bypass technique.
The vulnerability’s EPSS score has remained at a persistently high level, with a recorded peak of 0.9752 and a current value of 0.9446, indicating sustained exploitation interest since disclosure. Public exploit code targeting multiple BIG-IP branches has been circulating since shortly after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24705
Vulnerability details
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which…
more
have reached End of Technical Support (EoTS) are not evaluated
- CWE(s)
- KEV Date Added
- 10 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations (including authentication) before allowing access to iControl REST functions, blocking the bypass.
Requires identification and authentication of organizational users prior to granting access to the management interface that the flaw exposes.
Mandates timely application of vendor patches that close the authentication-bypass flaw in the listed BIG-IP versions.