Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems.

Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints. The issues impact BIG-IP versions 13.x, 14.x, 15.x, 16.x, and 17.x, and BIG-IQ Centralized Management versions 7.x and 8.x.

The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows:

• CVE-2022-41622 (CVSS score: 8.8) - A cross-site request forgery (CSRF) vulnerability through iControl SOAP, leading to unauthenticated remote code execution.
• CVE-2022-41800 (CVSS score: 8.7) - An iControl REST vulnerability that could allow an authenticated user with an Administrator role to bypass Appliance mode restrictions.

By successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access to the device's management interface (even if the management interface is not internet-facing.

However, it's worth noting that such an exploit requires an administrator with an active session to visit a hostile website.

Also identified were three different instances of security bypass, which F5 said cannot be exploited without first breaking existing security barriers through a previously undocumented mechanism.

Should such a scenario arise, an adversary with Advanced Shell (bash) access to the appliance could weaponize these weaknesses to execute arbitrary system commands, create or delete files, or disable services.

While F5 has made no mention of any of the vulnerabilities being exploited in attacks, it's recommended that users apply the necessary patches as and when they become available to mitigate potential risks.

The information contained in this website is for general information purposes only. The information is gathered from TheHackerNews, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.