Privacy Ninja

Hackers Exploiting Critical F5 BIG-IP Bug, Public Exploits Released

Hackers Exploiting Critical F5 BIG-IP Bug, Public Exploits Released

Threat actors have started massively exploiting the critical vulnerability tracked as CVE-2022-1388, which affects multiple versions of all F5 BIG-IP modules, to drop malicious payloads.

F5 last week released patches for the security issue (9.8 severity rating), which affects the BIG-IP iControl REST authentication component.

The company warned that the vulnerability enables an unauthenticated attacker on the BIG-IP system to run “arbitrary system commands, create or delete files, or disable services.”

At the moment, there are thousands of BIG-IP systems exposed on the internet, so attackers can leverage the exploit remotely to breach the corporate network.

Also Read: The Top 10 Best And Trusted List Of Lawyers In Singapore

Exposed F5 BIG-IP servers
source: Jacob Baines

Yesterday, multiple security researchers announced that they had created working exploits and warned administrators to install the latest updates immediately.

Today, the bubble burst and exploits became available publicly since the attacks require just two commands and some headers sent to an unpatched ‘bash’ endpoint exposed to the internet.

At the moment, Twitter is filled with the proof-of-exploit code for CVE-2022-1388 and reports that it is leveraged in the wild to drop webshells for prolonged backdoor access.

Actively exploited to drop shells

Cronup security researcher Germán Fernández observed threat actors dropping PHP webshells to “/tmp/” and installing them to “/usr/local/www/xui/common/css/.”

After installation, the payload is executed and then removed from the system:

Attacker exploit CVE-2022-1388 to drop PHP webshell
source: Germán Fernández

Exploitation attempts have also been observed by Kevin Beaumont in attacks that did not target the management interface. He notes that if the F5 system has been configured “as a load balancer and firewall via self IP it is also vulnerable so this may get messy.”

Other researchers, though, have seen CVE-2022-11388 massively leveraged against the management interface.

Suspiciously easy to exploit

The vulnerability is so easy to exploit that some security researchers believe that it did not end up in the products by accident, especially considering that the vulnerable endpoint is named ‘bash’, a popular Linux shell.

Jake Williams, executive director of cyber threat intelligence at Scythe, says that the flaw could be the result of a developer making a mistake.

Will Dormann, vulnerability Analyst at the CERT/CC, shares the same feeling, fearing that otherwise it could be a much bigger issue.

Researcher sharing concern over origin of CVE-2022-1388

Since the exploit is already widely shared publicly, administrators are strongly advised to install available patches immediately, remove access to the management interface over the public internet, or apply the mitigations provided by F5 until updates can be installed:

F5’s advisory for this vulnerability, including detailed information on all security updates and mitigiations, can be found here.

Also Read: The Importance Of Knowing Personal Data Protection Regulations

To help BIG-IP administrators, researchers at Randori attack surface management company published bash code that determines if CVE-2022-1388 is exploitable on their instances or not. 



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us