Skip to Content

F5 Fixes RCE Flaws in BIG-IP and BIG-IQ

Updated on 2022-11-18: F5 Big-IP vulnerabilities

Rapid7’s Ron Bowes published details on CVE-2022-41622 and CVE-2022-41800, two vulnerabilities in the Big-IP load balancer, patched this week by F5. Read more:

Overview: F5 Fixes RCE Flaws in BIG-IP and BIG-IQ

F5 has released updates to address two high-severity remote code execution vulnerabilities that affect its BIG-IP and BIG-IQ products. While the flaws are not trivial to exploit, they could be used to gain complete control of vulnerable devices. Researchers from Rapid7 found the vulnerabilities – an unauthenticated RCE via cross-site forgery on iControl SOAP and an authenticated RCE via RPM spec injection, impacting the iControl REST component – as well as “several bypasses of security controls that F5 does not consider vulnerabilities with a reasonable attack surface.”


These are difficult to exploit, so you can do regression testing and plan your outage. Even so, don’t assume these are not exploitable; with the publishing of the fix and vulnerability, that is actively being worked. Implement the recommended mitigations from F5 to restrict access to the management interfaces from both the self IP address and your network until you can apply the updates. Consider leaving long term restrictions on where management connections to your F5’s can originate from.


    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that\'s committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we haven\'t implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you\'re currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.