F5 iControl REST unauthenticated remote command execution vulnerability [CVE-2021-22986]
CVE number = CVE-2021-22986
The iControl REST interface has an unauthenticated remote command execution vulnerability.
This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.
Note: If you believe your system may have been compromised, refer to K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system.
To determine if your product and version have been evaluated for this vulnerability please click here – https://support.f5.com/csp/article/K03009991
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.