F5, an application service provider, is warning that a significant vulnerability in its BIG-IP systems allows unauthenticated hackers with network access to run arbitrary commands.
F5 BIG-IP is a software and hardware combination that focuses on access control, application availability, and security. The Common Vulnerabilities Scoring System (CVSS) version 3.90 has assigned the vulnerability CVE-2022-1388 with a severity level of 9.8 out of 10. The weakness, according to F5, is in the iControl framework’s Representational State Transfer (REST) interface, which is used to interact between F5 devices and users.
Threat actors can use the issue to overcome the iControl REST authentication and get access to F5 BIG-IP systems, allowing them to run arbitrary commands, create and delete files, and stop servers.