Skip to Content

F5 Fixes RCE Flaws in BIG-IP and BIG-IQ

Updated on 2022-11-18: F5 Big-IP vulnerabilities

Rapid7’s Ron Bowes published details on CVE-2022-41622 and CVE-2022-41800, two vulnerabilities in the Big-IP load balancer, patched this week by F5. Read more:

Overview: F5 Fixes RCE Flaws in BIG-IP and BIG-IQ

F5 has released updates to address two high-severity remote code execution vulnerabilities that affect its BIG-IP and BIG-IQ products. While the flaws are not trivial to exploit, they could be used to gain complete control of vulnerable devices. Researchers from Rapid7 found the vulnerabilities – an unauthenticated RCE via cross-site forgery on iControl SOAP and an authenticated RCE via RPM spec injection, impacting the iControl REST component – as well as “several bypasses of security controls that F5 does not consider vulnerabilities with a reasonable attack surface.”


These are difficult to exploit, so you can do regression testing and plan your outage. Even so, don’t assume these are not exploitable; with the publishing of the fix and vulnerability, that is actively being worked. Implement the recommended mitigations from F5 to restrict access to the management interfaces from both the self IP address and your network until you can apply the updates. Consider leaving long term restrictions on where management connections to your F5’s can originate from.


    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on