LAST UPDATED: 2022-05-12
This one-time Special Report contains information about exposed F5 iControl REST API instances that are remotely accessible, and thus likely to be vulnerable to a recently published (May 4th 2022) critical RCE vulnerability CVE-2022-1388. We see this vulnerability exploited in the wild.
Information contained in the report is obtained by scanning for the above exposed endpoints.
How we scan
We scan the entire IPv4 address with a HTTP GET request for
/mgmt/shared/authn/login (authentication endpoint) on ports 443, 8443 and 8080 (HTTP/TLS scans) and port 80 (HTTP). If we receive an F5 response we include it in the report. Note that even if a
401 F5 Authorization Required response is received, an exploit for CVE-2022-1388 will be successful if F5 has not been patched.
We do not make any exploitation or assessment if the device is actually vulnerable to CVE-2022-1388, but given the developing incident it is highly probable.
If you have not applied the patch when it was published on May4th 2022, it is likely that your F5 has been compromised already, as exploitation has been observed not long after. Make sure to investigate for signs of compromise in accordance with best practices.
Do not expose your F5 management interface to the public Internet. Use firewalling to block traffic and make sure to patch your F5 system. Detailed guidance on recommended F5 security configuration can be found here.
About Special Reports
Shadowserver Special Reports are unlike all of our other standard free daily network reports.
Instead, we send out Special Reports in situations where we share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit, such as in cases where we have a critical new vulnerability being exploited against potentially high value targets.
Note that the data shared across special reports may differ on a case by case basis hence the report formats for different Special Reports may be different.