F5 issues BIG-IP patches to tackle unauthenticated remote code execution, critical flaws

Four out of seven vulnerabilities are considered critical.
Written by Charlie Osborne, Contributing Writer

F5 Networks has pushed out patches to tackle four critical vulnerabilities in BIG-IP, one of which can be exploited for unauthenticated remote code execution (RCE) attacks. 

The enterprise networking provider's BIG-IP applications are enterprise-grade, modular software suites designed for data and app delivery, load balancing, traffic management, and other business functions. 

F5 says that 48 out of Fortune 50 companies are F5 customers. Governments, telecoms firms, financial services, and healthcare providers are counted among clients

F5's security advisory, published on Wednesday, describes seven security flaws impacting BIG-IP and BIG-IQ deployments. 

The worst are CVE-2021-22986 and CVE-2021-22987 which have been issued CVSS severity scores of 9.8 and 9.9, respectively. 

CVE-2021-22986 is an unauthenticated RCE impacting the BIG-IP management interface. 

"The vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services," F5 says. "This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable."

CVE-2021-22987 also impacts Appliance mode while BIG-IP's Traffic Management User Interface (TMUI) is running. Authenticated users able to access TMUI can exploit the bug to execute arbitrary commands, tamper with files, and disable services. 

"Exploitation can lead to complete system compromise and breakout of Appliance mode," F5 added. 

Alongside these security flaws, F5 has also tackled CVE-2021-22991 and CVE-2021-22992, critical buffer overflow bugs impacting the Traffic Management Microkernel (TMM) and Advanced WAF/ASM virtual servers. The vulnerabilities have both been awarded a severity score of 9.0.

Three other vulnerabilities have also been resolved; CVE-2021-22988, CVE-2021-22989, and CVE-2021-22990 -- issued CVSS scores of 8.8, 8.0, and 6.6 -- which could be exploited for the purposes of remote command execution in TMUI components. 

Kara Sprague, senior VP of F5's Application Delivery Controller (ADC) business unit, said "the bottom line is that [the vulnerabilities] affect all BIG-IP and BIG-IQ customers and instances."

"We urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible," the executive added

The vulnerabilities have been patched in BIG-IP versions,, 14.1.4,,, and CVE-2021-22986 also impacts BIG-IQ and is fixed in versions 8.0.0,, and

14 unrelated CVEs were also announced. 

The US Cybersecurity and Infrastructure Security Agency (CISA), which issued an emergency directive last week commanding federal agencies to tackle actively-exploited Microsoft Exchange Server vulnerabilities, recommended that these security issues are dealt with promptly. 

In July 2020, F5 patched a remote code execution vulnerability in BIG-IP, tracked as CVE-2020-5902, which was awarded a rare CVSS severity score of 10.0

Discovered by Mikhail Klyuchnikov, a researcher with Positive Technologies, the bug impacted BIG-IP's TMUI and allowed unauthenticated attackers to remotely compromise TMUI interfaces. 

Only a few days after disclosure, threat actors began launching attacks against internet-facing BIG-IP builds. F5 warned at the time that "if TMUI [is] exposed to the internet and it does not have a fixed version of software installed, there is a high probability that it has been compromised and you should follow your internal incident response procedures."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards