CVE-2022-1388

CVE-2022-1388 is a critical-severity vulnerability in F5 Big-ip Access Policy Manager with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-10). The underlying weakness is classified as CWE-306.

Key facts

Description

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2022-1388: F5 BIG-IP iControl REST Authentication Bypass

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2022-1388
CVSS v3 9.8 (CRITICAL)
CVSS v2 7.5
EPSS 0.99956
EPSS Percentile 0.99974
CWE CWE-306: Missing Authentication for Critical Function
KEV Yes — CISA KEV (added 2022-05-10)
EU Exploited Yes — EUVD-2022-24705 (since 2022-05-10)
Published 2022-05-05

Summary

CVE-2022-1388 is a critical authentication bypass vulnerability in the iControl REST interface of F5 BIG-IP appliances. An unauthenticated attacker can send specially crafted requests to bypass authentication checks and gain unauthorized access to the management plane, ultimately achieving remote code execution. The vulnerability has been actively exploited in the wild since shortly after disclosure and carries a CVSS v3 score of 9.8.

Background

F5 BIG-IP is a family of hardware and software solutions widely deployed for application delivery, load balancing, and security services. The iControl REST API provides a programmatic interface for configuring and managing BIG-IP devices. Because this API exposes sensitive management functions, it is intended to be accessible only to authenticated and authorized administrators. CVE-2022-1388 undermines this protection by allowing certain requests to reach restricted endpoints without valid credentials.

Root Cause

The vulnerability is classified under CWE-306: Missing Authentication for Critical Function. The iControl REST service fails to enforce authentication on specific request paths or under certain conditions, allowing unauthenticated clients to reach administrative endpoints. The flaw resides in the request-handling logic rather than a specific authentication module, meaning the service incorrectly treats some malicious requests as already authenticated.

Impact

With a CVSS v3 score of 9.8 (CRITICAL), the impact is severe across all three pillars:

  • Confidentiality: HIGH — An attacker can read configuration files, extract SSL certificates, and access sensitive traffic rules.
  • Integrity: HIGH — Administrative endpoints allow modification of virtual servers, pools, policies, and user accounts.
  • Availability: HIGH — Attackers can delete or disrupt services, reload configurations, or crash the device.

The CVSS v3 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H confirms that exploitation is possible over the network, requires no privileges, no user interaction, and is trivial in complexity.

Exploitation Walkthrough

Ethics & Scope: This section describes the attack at a defensive, generic level. No weaponized exploit code is provided. Security professionals should use this information for detection, hardening, and incident-response planning only.

Attackers have been observed scanning for internet-exposed BIG-IP management interfaces (commonly on TCP 443 or dedicated management ports). Once a target is identified, the attacker sends an HTTP request to an iControl REST endpoint using a crafted URI pattern that the appliance mishandles as an authenticated internal request. Successful exploitation typically follows this pattern:

  1. Reconnaissance — Identify exposed BIG-IP devices via banner grabbing or certificate inspection.
  2. Endpoint probing — Send requests to known iControl REST paths (e.g., /mgmt/tm/util/bash) while manipulating headers or URI fragments to trigger the bypass.
  3. Post-exploitation — If authentication is bypassed, the attacker can invoke management utilities, execute system-level commands, or establish persistence by creating local accounts.

Defensive teams should assume that any internet-facing, unpatched BIG-IP management interface is a high-risk target.

Affected and Patched Versions

The following F5 BIG-IP product lines are affected:

Product Family Affected Versions Patched Versions
BIG-IP (all modules) 16.1.x prior to 16.1.2.2 16.1.2.2 and later
BIG-IP (all modules) 15.1.x prior to 15.1.5.1 15.1.5.1 and later
BIG-IP (all modules) 14.1.x prior to 14.1.4.6 14.1.4.6 and later
BIG-IP (all modules) 13.1.x prior to 13.1.5 13.1.5 and later
BIG-IP (all modules) 12.1.x (all) No patch — upgrade required
BIG-IP (all modules) 11.6.x (all) No patch — upgrade required

Note: Versions 12.1.x and 11.6.x had already reached End of Technical Support (EoTS) at the time of disclosure and were not evaluated for patches.

Remediation

  1. Upgrade immediately — Apply the patched versions listed above. F5 has published detailed guidance in support article K23605346.
  2. Restrict management access — Place the management interface on a dedicated, isolated network segment (out-of-band management) and block inbound access from untrusted networks.
  3. Firewall rules — Use upstream firewalls or ACLs to limit source IPs that can reach the iControl REST port.
  4. Compensating controls — If immediate patching is not feasible, disable the iControl REST service where it is not required, or restrict it to localhost-only access until maintenance windows allow upgrading.

Detection

  • Network monitoring — Alert on unexpected HTTP requests to /mgmt/ paths from untrusted source addresses, especially POST/PUT requests without prior authentication handshakes.
  • Log analysis — Review iControl REST access logs for anomalous 200 OK responses following requests that lack a valid session token or bearer credential.
  • File integrity monitoring — Watch for unexpected changes to /config/bigip.conf, user-account databases, or certificate stores.
  • Threat-intelligence feeds — Correlate source IPs with known scanning campaigns linked to CVE-2022-1388 exploitation.

Assessment

With an EPSS score of 0.99956 and inclusion in both the CISA KEV catalog and the EU exploited-vulnerabilities database, CVE-2022-1388 represents one of the highest-probability threats in the disclosed-vulnerability landscape. The combination of trivial exploitability, unauthenticated network access, and full system compromise makes this a "patch now" priority for any organization running affected BIG-IP appliances.

Key lessons:

  1. Management plane exposure is critical risk — Even a single authentication bypass on a management interface can lead to total infrastructure compromise. Strict network segmentation and continuous attack-surface monitoring are essential.
  2. Legacy EoTS software is a liability — Organizations still running 12.1.x or 11.6.x branches had no remediation path other than upgrading, underscoring the importance of staying on supported release trains.

References

Frequently asked questions

What is CVE-2022-1388?
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
How severe is CVE-2022-1388?
CVE-2022-1388 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-1388 being actively exploited?
Yes. CVE-2022-1388 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-1388?
CVE-2022-1388 primarily affects F5 Big-ip Access Policy Manager. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-1388?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-1388 have an EU (EUVD) identifier?
Yes. CVE-2022-1388 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-24705. It is also flagged as exploited in the EUVD (since 2022-05-10).
When was CVE-2022-1388 published?
CVE-2022-1388 was published on 2022-05-05 and last updated on 2026-06-17.

References

Affected products (11)

More vulnerabilities in F5 Big-ip Access Policy Manager

All CVEs affecting F5 Big-ip Access Policy Manager →

Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities

Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →