CVE-2021-22986

CVE-2021-22986 is a critical-severity vulnerability in F5 Big-ip Access Policy Manager with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-918.

Key facts

Description

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

CVE-2021-22986: F5 BIG-IP/BIG-IQ iControl REST Unauthenticated Remote Command Execution (SSRF)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2021-22986
CVSS v3.1 9.8 (Critical)
CVSS v2 10.0
EPSS 0.99898 (99.90th percentile)
CWE CWE-918
KEV Added 2021-11-03
CISA KEV Yes
Source NVD

Summary

A Server-Side Request Forgery (SSRF) vulnerability in the iControl REST interface of F5 BIG-IP and BIG-IQ allows unauthenticated remote command execution. The flaw affects multiple BIG-IP versions across numerous modules and BIG-IQ centralized management platforms, with a CVSS v3.1 score of 9.8 and CVSS v2 score of 10.0.

Background

F5 BIG-IP is a widely deployed family of application delivery and security appliances used for load balancing, web application firewalling, access management, and traffic optimization. The iControl REST API provides programmatic management and configuration capabilities. BIG-IQ is F5's centralized management platform for orchestrating multiple BIG-IP devices. This vulnerability exists in the iControl REST interface, which is exposed for administrative automation and integration.

Root Cause

CWE-918 — Server-Side Request Forgery (SSRF). The iControl REST interface fails to adequately validate incoming requests, allowing an attacker to supply URLs or internal service references that the server processes on the attacker's behalf. This SSRF primitive can be leveraged to make unauthorized internal API calls or interact with management services, ultimately leading to unauthenticated remote command execution. The underlying flaw is insufficient input validation on REST endpoints that accept user-influenced network locations.

Impact

This vulnerability carries a CVSS v3.1 score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and a CVSS v2 score of 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C), indicating a network-exploitable, low-complexity, unauthenticated attack with complete impact on confidentiality, integrity, and availability. No privileges or user interaction are required.

The EPSS score of 0.99898 (99.90th percentile) signals near-certain active exploitation in the wild. This vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog (added 2021-11-03) and has been observed in ransomware campaigns, making it a priority patching target.

Exploitation Walkthrough

Ethics caveat: This section is provided for defensive awareness only. No exploit code is included. Security professionals should use this information for detection, hunting, and hardening.

The attack vector is the iControl REST interface, typically exposed on TCP/443 on the management plane. An attacker sends a crafted HTTP request to the REST endpoint. The interface processes the request as an internal call and performs unintended actions on the attacker's behalf. Defensive teams should focus on the following:

  • Monitor for anomalous HTTP requests to /mgmt/ paths, especially those with unexpected host headers or internal URLs that do not match the intended backend service.
  • Watch for requests originating from untrusted source addresses directed at the management interface.
  • Review for unexpected POST or GET patterns that may indicate SSRF chaining into internal service endpoints.
  • Since the vulnerability is unauthenticated, any successful exploitation will not be preceded by a legitimate login event.

Affected and Patched Versions

BIG-IP (all modules):

  • 16.0.x before 16.0.1.1
  • 15.1.x before 15.1.2.1
  • 14.1.x before 14.1.4
  • 13.1.x before 13.1.3.6
  • 12.1.x before 12.1.5.3

BIG-IQ Centralized Management:

  • 7.1.0.x before 7.1.0.3
  • 7.0.0.x before 7.0.0.2

Affected modules include: Access Policy Manager, Advanced Firewall Manager, Advanced Web Application Firewall, Analytics, Application Acceleration Manager, Application Security Manager, DDoS Hybrid Defender, DNS, Fraud Protection Service, Global Traffic Manager, Link Controller, Local Traffic Manager, Policy Enforcement Manager, and SSL Orchestrator.

Remediation

  1. Upgrade immediately to a patched version listed above. F5 has released security updates addressing this vulnerability.
  2. Restrict management plane access to trusted administrative hosts and dedicated management networks only. Do not expose the iControl REST interface to untrusted or data-plane networks.
  3. Disable iControl REST exposure on data-plane interfaces if not required.
  4. Implement network segmentation and firewall rules limiting source IP addresses to the management interface.
  5. Monitor continuously for unauthorized REST API access and anomalous management-plane traffic.

Detection

  • Monitor unexpected HTTP requests to iControl REST endpoints, especially from non-administrative source addresses.
  • Alert on anomalous traffic patterns to TCP/443 on management interfaces from unexpected network segments.
  • Review BIG-IP and BIG-IQ audit logs for unauthorized REST API calls.
  • Focus network detection on unusual POST or GET requests to /mgmt/ paths with crafted payloads or suspicious headers.
  • Because this vulnerability is in the CISA KEV catalog and linked to ransomware operations, threat-hunting teams should prioritize indicators of compromise associated with known exploitation frameworks targeting F5 devices.

Assessment

CVE-2021-22986 is an exceptionally high-risk vulnerability due to its unauthenticated, network-exploitable nature with complete system impact. The EPSS of 0.99898 confirms that exploitation in the wild is statistically certain. Its inclusion in the CISA KEV Catalog and observed use in ransomware operations elevates the patching priority to critical. Organizations should treat this as a "patch now" or "isolate now" issue if a patch cannot be immediately applied.

Key lessons:

  1. Management plane interfaces must be strictly isolated from untrusted networks; any exposed management API is a high-value attack surface.
  2. High-fidelity monitoring of administrative APIs is essential because unauthenticated command execution on network appliances can rapidly escalate to full network compromise.

References

Frequently asked questions

What is CVE-2021-22986?
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
How severe is CVE-2021-22986?
CVE-2021-22986 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-22986 being actively exploited?
Yes. CVE-2021-22986 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-22986?
CVE-2021-22986 primarily affects F5 Big-ip Access Policy Manager. In total, 15 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-22986?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-22986 have an EU (EUVD) identifier?
Yes. CVE-2021-22986 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-10104. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-22986 published?
CVE-2021-22986 was published on 2021-03-31 and last updated on 2026-06-17.

References

Affected products (15)

More vulnerabilities in F5 Big-ip Access Policy Manager

All CVEs affecting F5 Big-ip Access Policy Manager →

Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities

Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →