CVE-2021-22986
CVE-2021-22986 is a critical-severity vulnerability in F5 Big-ip Access Policy Manager with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-918.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-10104
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-918
- Affected product: F5 Big-ip Access Policy Manager
- Published:
- Last modified:
Description
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
CVE-2021-22986: F5 BIG-IP/BIG-IQ iControl REST Unauthenticated Remote Command Execution (SSRF)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2021-22986 |
| CVSS v3.1 | 9.8 (Critical) |
| CVSS v2 | 10.0 |
| EPSS | 0.99898 (99.90th percentile) |
| CWE | CWE-918 |
| KEV Added | 2021-11-03 |
| CISA KEV | Yes |
| Source | NVD |
Summary
A Server-Side Request Forgery (SSRF) vulnerability in the iControl REST interface of F5 BIG-IP and BIG-IQ allows unauthenticated remote command execution. The flaw affects multiple BIG-IP versions across numerous modules and BIG-IQ centralized management platforms, with a CVSS v3.1 score of 9.8 and CVSS v2 score of 10.0.
Background
F5 BIG-IP is a widely deployed family of application delivery and security appliances used for load balancing, web application firewalling, access management, and traffic optimization. The iControl REST API provides programmatic management and configuration capabilities. BIG-IQ is F5's centralized management platform for orchestrating multiple BIG-IP devices. This vulnerability exists in the iControl REST interface, which is exposed for administrative automation and integration.
Root Cause
CWE-918 — Server-Side Request Forgery (SSRF). The iControl REST interface fails to adequately validate incoming requests, allowing an attacker to supply URLs or internal service references that the server processes on the attacker's behalf. This SSRF primitive can be leveraged to make unauthorized internal API calls or interact with management services, ultimately leading to unauthenticated remote command execution. The underlying flaw is insufficient input validation on REST endpoints that accept user-influenced network locations.
Impact
This vulnerability carries a CVSS v3.1 score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and a CVSS v2 score of 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C), indicating a network-exploitable, low-complexity, unauthenticated attack with complete impact on confidentiality, integrity, and availability. No privileges or user interaction are required.
The EPSS score of 0.99898 (99.90th percentile) signals near-certain active exploitation in the wild. This vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog (added 2021-11-03) and has been observed in ransomware campaigns, making it a priority patching target.
Exploitation Walkthrough
Ethics caveat: This section is provided for defensive awareness only. No exploit code is included. Security professionals should use this information for detection, hunting, and hardening.
The attack vector is the iControl REST interface, typically exposed on TCP/443 on the management plane. An attacker sends a crafted HTTP request to the REST endpoint. The interface processes the request as an internal call and performs unintended actions on the attacker's behalf. Defensive teams should focus on the following:
- Monitor for anomalous HTTP requests to
/mgmt/paths, especially those with unexpected host headers or internal URLs that do not match the intended backend service. - Watch for requests originating from untrusted source addresses directed at the management interface.
- Review for unexpected POST or GET patterns that may indicate SSRF chaining into internal service endpoints.
- Since the vulnerability is unauthenticated, any successful exploitation will not be preceded by a legitimate login event.
Affected and Patched Versions
BIG-IP (all modules):
- 16.0.x before 16.0.1.1
- 15.1.x before 15.1.2.1
- 14.1.x before 14.1.4
- 13.1.x before 13.1.3.6
- 12.1.x before 12.1.5.3
BIG-IQ Centralized Management:
- 7.1.0.x before 7.1.0.3
- 7.0.0.x before 7.0.0.2
Affected modules include: Access Policy Manager, Advanced Firewall Manager, Advanced Web Application Firewall, Analytics, Application Acceleration Manager, Application Security Manager, DDoS Hybrid Defender, DNS, Fraud Protection Service, Global Traffic Manager, Link Controller, Local Traffic Manager, Policy Enforcement Manager, and SSL Orchestrator.
Remediation
- Upgrade immediately to a patched version listed above. F5 has released security updates addressing this vulnerability.
- Restrict management plane access to trusted administrative hosts and dedicated management networks only. Do not expose the iControl REST interface to untrusted or data-plane networks.
- Disable iControl REST exposure on data-plane interfaces if not required.
- Implement network segmentation and firewall rules limiting source IP addresses to the management interface.
- Monitor continuously for unauthorized REST API access and anomalous management-plane traffic.
Detection
- Monitor unexpected HTTP requests to iControl REST endpoints, especially from non-administrative source addresses.
- Alert on anomalous traffic patterns to TCP/443 on management interfaces from unexpected network segments.
- Review BIG-IP and BIG-IQ audit logs for unauthorized REST API calls.
- Focus network detection on unusual POST or GET requests to
/mgmt/paths with crafted payloads or suspicious headers. - Because this vulnerability is in the CISA KEV catalog and linked to ransomware operations, threat-hunting teams should prioritize indicators of compromise associated with known exploitation frameworks targeting F5 devices.
Assessment
CVE-2021-22986 is an exceptionally high-risk vulnerability due to its unauthenticated, network-exploitable nature with complete system impact. The EPSS of 0.99898 confirms that exploitation in the wild is statistically certain. Its inclusion in the CISA KEV Catalog and observed use in ransomware operations elevates the patching priority to critical. Organizations should treat this as a "patch now" or "isolate now" issue if a patch cannot be immediately applied.
Key lessons:
- Management plane interfaces must be strictly isolated from untrusted networks; any exposed management API is a high-value attack surface.
- High-fidelity monitoring of administrative APIs is essential because unauthenticated command execution on network appliances can rapidly escalate to full network compromise.
References
- F5 Support Article K03009991: https://support.f5.com/csp/article/K03009991
- CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22986
- PacketStorm Security Advisory (SSRF/RCE): http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html
- PacketStorm Security Advisory (RCE): http://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.html
Frequently asked questions
- What is CVE-2021-22986?
- On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
- How severe is CVE-2021-22986?
- CVE-2021-22986 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-22986 being actively exploited?
- Yes. CVE-2021-22986 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-22986?
- CVE-2021-22986 primarily affects F5 Big-ip Access Policy Manager. In total, 15 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-22986?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-22986 have an EU (EUVD) identifier?
- Yes. CVE-2021-22986 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-10104. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-22986 published?
- CVE-2021-22986 was published on 2021-03-31 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.html
- https://support.f5.com/csp/article/K03009991
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22986
Affected products (15)
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-iq_centralized_management:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
More vulnerabilities in F5 Big-ip Access Policy Manager
- CVE-2023-41373 — Critical (CVSS 9.9): A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker…
- CVE-2021-22987 — Critical (CVSS 9.9): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x…
- CVE-2025-53521 — Critical (CVSS 9.8): When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code…
- CVE-2023-46747 — Critical (CVSS 9.8): Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the…
- CVE-2022-1388 — Critical (CVSS 9.8): On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6,…
- CVE-2021-23008 — Critical (CVSS 9.8): On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of…
All CVEs affecting F5 Big-ip Access Policy Manager →
Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities
- CVE-2026-47938 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF)…
- CVE-2026-35431 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to…
- CVE-2026-32186 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-33107 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-32871 — Critical (CVSS 10.0): FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP…
- CVE-2026-32169 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a…
Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →