On March 10, 2021, F5 disclosed eight vulnerabilities, four of which are deemed "critical", the most severe of which is CVE-2021-22986, an unauthenticated remote code execution weakness that enables remote attackers to execute arbitrary commands on compromised BIG-IP devices:
Rapid7 has in-depth technical analysis on this vulnerability, including proof-of-concept code and information on indicators of compromise, available here.
On March 18, 2021, NCC Group reported seeing in the wild exploitation attempts and they, along with other sources, expect that final development of a complete attack chain is imminent.
Given that a complete exploit chain will be available soon, we recommend patching F5 systems that expose the affected planes (see below) within the next 3–5 days and F5 systems that only expose affected planes internally within a 30-day patch window that hopefully started eight days ago, provided that your organization follows a typical 30-, 60-, 90-day prioritization scheme. If your organization does not have a defined patch cadence system, Rapid7 still recommends that you consider applying these internal system patches within the next 20 days.
Critical vulnerability overview
CVE-2021-22986
iControl REST unauthenticated remote command execution vulnerability (CVSSv3 9.8).
An HTTP REST API endpoint exposed on the control plane of F5 devices has an unauthenticated remote code execution vulnerability, enabling attackers to execute arbitrary code/commands on compromised devices. This impacts BIG-IP systems 7.0.0, 7.1.0, 12.x, and later, as well as any BIG-IQ (F5 BIG-IP centralized management service) version regardless of configuration.
