F5 BIG-IP iControl REST Authentication Bypass

May 20, 2022

F5’s BIG-IP is a product family consisting of software, hardware, and virtual appliances designed around application availability, access control, and security solutions. BIG-IP software products run on top of F5’s Traffic Management Operation System® (TMOS), designed specifically to inspect network and application traffic and make real-time decisions based on the configurations given. BIG-IP Configuration Utility is a Web GUI that allows F5 users to set up the BIG-IP product and to make additional changes.

Vulnerability| CVE-2022-1388
BIG-IP iControl is a REST API for BIG-IP, which is accessible over HTTPS on port 443/TCP via the following


An authentication bypass vulnerability exists in BIG-IP. The vulnerability is due to insufficient validation of the Connection header field. By including “X-F5-Auth-Token” in the Connection header, the forwarded request will omit the authentication token header leading to authentication bypass. Requests can be made to the endpoint “/mgmt/tm/util/bash” to execute  shell commands.
In the following example, an attacker sends the following unauthenticated POST request

and receives following response :

As seen in the example the attacker is able to successfully run the ‘id’ command on the vulnerable machine. A remote attacker can exploit the vulnerability by sending a malicious request to the target server. This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. Successful exploitation could result in the execution of arbitrary commands under the security context of root.

Following versions are vulnerable:

  • 16.1.0 – 16.1.2
  • 15.1.0 – 15.1.5
  • 14.1.0 – 14.1.4
  • 13.1.0 – 13.1.4
  • 12.1.0 – 12.1.6
  • 11.6.1 – 11.6.5

This vulnerability is patched . The vendor advisory is here

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 15029:F5 BIG-IP iControl REST Authentication Bypass To RCE

Threat Graph