On March 10th, enterprise network provider F5 released a security advisory for its BIG-IP and BIG-IQ products, detailing four critical vulnerabilities.
F5 promptly issued patches for the vulnerabilities; however, the problems did not end there. On March 19th, NCC Group researchers reported seeing “full chain exploitation” of CVE-2021-22986, an unauthenticated remote command execution vulnerability with a CVSS criticality score of 9.8.
As Ars Technica explains, this vulnerability “allows remote attackers with no password or other credentials to execute commands of their choice on vulnerable BIG-IP devices” and requires limited technical knowledge to exploit. The NCC Group report provides additional technical assessment and detection methods.
F5’s applications are widely deployed for enterprise-grade application delivery, load balancing, and traffic management, and F5 strongly encourages all BIG-IP and BIG-IQ customers to update their systems as soon as possible.