F5 BIG-IP iControl REST Authentication Bypass


F5’s BIG-IP is a product family consisting of software, hardware, and virtual appliances designed around application availability, access control, and security solutions. BIG-IP software products run on top of F5’s Traffic Management Operation System® (TMOS), designed specifically to inspect network and application traffic and make real-time decisions based on the configurations given. BIG-IP Configuration Utility is a Web GUI that allows F5 users to set up the BIG-IP product and to make additional changes.

Vulnerability| CVE-2022-1388
BIG-IP iControl is a REST API for BIG-IP, which is accessible over HTTPS on port 443/TCP via the following


An authentication bypass vulnerability exists in BIG-IP. The vulnerability is due to insufficient validation of the Connection header field. By including “X-F5-Auth-Token” in the Connection header, the forwarded request will omit the authentication token header leading to authentication bypass. Requests can be made to the endpoint “/mgmt/tm/util/bash” to execute  shell commands.
In the following example, an attacker sends the following unauthenticated POST request

and receives following response :

As seen in the example the attacker is able to successfully run the ‘id’ command on the vulnerable machine. A remote attacker can exploit the vulnerability by sending a malicious request to the target server. This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. Successful exploitation could result in the execution of arbitrary commands under the security context of root.

Following versions are vulnerable:

  • 16.1.0 – 16.1.2
  • 15.1.0 – 15.1.5
  • 14.1.0 – 14.1.4
  • 13.1.0 – 13.1.4
  • 12.1.0 – 12.1.6
  • 11.6.1 – 11.6.5

This vulnerability is patched . The vendor advisory is here

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 15029:F5 BIG-IP iControl REST Authentication Bypass To RCE

Threat Graph

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.