CVE-2022-1388

2026-06-04

158.94.209.120

united kingdom 

F5 Networks 

BIG-IP 

POST /mgmt/tm/util/bash HTTP/1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13.2) AppleWebKit/619.14.1 (KHTML, like Gecko) Version/17.7.52 Safari/619.14.1
Host: localhost
Content-Type: application/json
Content-Length: 81
X-Forwarded-For: ██████████████
Authorization: Basic YWRtaW46
X-F5-Auth-Token: a
Accept-Encoding: gzip
Connection: close

{
     "command": "run",
     "utilCmdArgs": "-c 'echo CVE-2022-1388 | rev'"
}

CVE-2022-1388 is a critical remote code execution vulnerability in the iControlREST component of F5 BIG-IP products. Disclosed on May 4, 2022, this vulnerability allows threat actors to bypass authentication and execute arbitrary code on unpatched systems. The vulnerability has a CVSS score of 9.8, indicating its high severity. Attackers can exploit this flaw to gain complete control over the affected systems, enabling them to manipulate critical services and data.
The vulnerability exists within the iControl REST framework used by BIG-IP. An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses can exploit this vulnerability to execute arbitrary system commands, create or delete files, or disable services. This makes the vulnerability extremely dangerous, especially for organizations that expose the BIG-IP management interface to the internet.
Since the disclosure, there has been mass scanning activity and active exploitation attempts. Proof-of-concept (PoC) exploits have been developed and attacks leveraging the vulnerability have been observed in the wild. The vulnerability can also be exploited by someone who has access to the targeted organization’s network, making internal systems equally vulnerable.
F5 has released patches to mitigate this vulnerability, and organizations are strongly advised to update their BIG-IP deployments to the latest versions. Until patches can be applied, it is recommended to block iControl REST access through the self IP address to mitigate the risk. Additionally, Palo Alto Networks has released a Threat Prevention signature (92570) to help protect against this vulnerability.

Update to the Latest Version: Upgrade your F5 BIG-IP systems to the latest patched versions as provided by F5.
Block iControl REST Access: Until the patch can be applied, block iControl REST access through the self IP address to mitigate the risk.
Monitor for Indicators of Compromise (IoCs): Utilize available IoCs and other resources to monitor for signs of exploitation.
Apply Network Segmentation: Ensure that the management interface is not exposed to the internet and is accessible only through trusted networks.
Use Threat Prevention Signatures: Implement Palo Alto Networks Threat Prevention signature 92570 to detect and block exploitation attempts.
Regularly Review Security Advisories: Stay updated with the latest security advisories from F5 and other cybersecurity organizations.