Security experts are urging F5 customers to patch a critical vulnerability in the vendor's BIG-IP and BIG-IQ networking products after warning of mass exploitation attempts in the wild.
CVE-2021-22986 is a flaw in the products’ REST-based iControl management interface which could allow for authentication bypass and remote code execution.
With a CVSS rating of 9.8, it was patched on March 10 along with several other bugs that could be chained in attacks. These are: CVE-2021-22987, CVE-2021-22988, CVE-2021-22989 and CVE-2021-22990.
Although no public exploit was known about at the time of patching, a week later researchers began to post PoC code online after reverse engineering an F5 patch.
NCC Group warned on Friday that as the REST API in question is designed to facilitate remote administration, an attacker could choose from multiple endpoints in an organization which ones to target.
“Starting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure. This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon,” it said.