Earlier this month, F5 Networks released patches to fix four critical bugs in BIG-IP and BIG-IQ. Then the developers wrote that these vulnerabilities can lead to denial of service (DoS) attacks and even to remote execution of arbitrary code without authentication.
One of the most serious fixed vulnerabilities has the identifier CVE-2021-22986 and affects various devices with F5 iControl REST on board. This RCE issue allows arbitrary code to run on vulnerable iControl REST API systems without authentication. Basically, this means that any available F5 iControl REST interface could be abused by attackers. That is why the error received 9.8 points out of 10 on the CVSSv3 scale.
Last week, a PoC exploit for this problem was published on the Rapid7 AttackerKB portal. Although the exploit was incomplete, it still allowed attackers to develop their own tools, and even then experts warned of the coming wave of attacks.
Beginning March 18, Bad Packets experts have recorded massive Internet scans, through which attackers are trying to detect vulnerable F5 devices with the iControl REST interface.
At the end of last week, NCC Group analysts warned that they had discovered full-fledged attacks, during which hackers deployed full chains of exploits to attack the CVE-2021-22986 problem.
Now cybersecurity experts expect that such attacks will only increase in the coming months. After all, F5 devices are very popular and are often used as load balancers and access gateways in large corporate networks, government agencies, data centers and in the infrastructure of Internet providers.