Threat Signal Report

Observed in the Wild Exploitation of F5 BIG-IP Remote Command Execution Vulnerability (CVE-2021-22986)


FortiGuard Labs is aware of reports of active in-the-wild exploitation of F5 Big-IP appliances, specifically exploitation of CVE-2021-22986 (iControl REST unauthenticated remote command execution vulnerability). A remote command execution vulnerability exists within the iControl REST interface that allows an unauthenticated remote attacker to issue commands on a vulnerable server.

This specific vulnerability was one of four vulnerabilities released in the F5 March 2021 advisory that was rated CRITICAL. CVE-2021-22986 is the only one observed to be actively exploited in the wild at this time. F5 Big-IP is an application delivery controller (ADC) used to help provide load balancing and facilitate the movement of web traffic to its destination. Because this vulnerability does not require any sophistication to exploit, and the fact that we are starting to see multiple instances of proof of concept code being posted to various known sites, it is highly recommended that organizations affected by this latest vulnerability apply all patches immediately.

What are the Technical Details of this Vulnerability?

CVE-2021-22986 (iControl REST unauthenticated remote command execution vulnerability)

The vulnerability allows an unauthenticated user to perform remote command execution on a vulnerable appliance. An unauthenticated attacker can execute arbitrary system commands, create or delete files, and disable services which ultimately can lead to full system compromise. Ultimately, unpatched systems are susceptible to full control by an attacker. Compromise of this appliance can allow an attacker to use the vulnerability as a foothold for later access. This would allow the threat actor to cause further damage, including the exfiltration of credentials, disruption of services, and ultimately the delivery of malware to vulnerable machines on the victim network such as, but not limited to, ransomware via command execution.

What Versions Are Affected?

Reported versions of CVE-2021-22986 affected are:

BIG-IP versions 16.0.0 - 16.0.1x through 12.1.0 - 12.1.5

For BIG-IQ Centralized Management versions 7.1.0 7.0.0 6.0.0 - 6.1.0

What are the Other (3) CVE's?

CVE-2021-22987 - Appliance mode TMUI authenticated remote command execution vulnerability

An authenticated remote command execution exists in the appliance mode of the traffic management user interface (TMUI). An authenticated user with network access to the configuration utility, through the BIG-IP management port, or self IP addresses, can execute arbitrary system commands, create or delete files, or disable services.

CVE-2021-22991 - TMM buffer-overflow vulnerability

This is a buffer overflow vulnerability in the Traffic Management Microkernel (TMM) where undisclosed requests to a virtual server may be incorrectly handled, which can lead to a buffer-overflow that can result in a DoS attack.

CVE-2021-22992 - Advanced WAF/ASM buffer-overflow vulnerability

A buffer overflow vulnerability exists from a maliciously crafted HTTP response in the Advanced WAF/ASM virtual server that can result in a DoS attack. In certain situations, this can allow for remote code execution (RCE) resulting in full system compromise.

Are there Patches Available for Reported Vulnerabilities by the Vendor?

Patches were available as of March 10, 2021. Please refer to the "K02566623: Overview of F5 vulnerabilities (March 2021)" link in the APPENDIX section for further details.

How Serious of an Issue is This?

HIGH. CVE-2021-22986 (iControl REST unauthenticated remote command execution vulnerability) is rated CRITICAL and has a CVSS score of 9.8. Please note that CVE-2021-22986 is the only vulnerability of the four known to be currently being exploited in the wild at this time.

There are (3) other vulnerabilities that were addressed in the March release from F5 that also have a high CVSS score and they are:

CVE-2021-22987 Appliance mode TMUI authenticated remote command execution vulnerability (9.9 CRITICAL)

CVE-2021-22991 - TMM buffer-overflow vulnerability (9.0 CRITICAL)

CVE-2021-22992 Advanced WAF/ASM buffer-overflow vulnerability (9.0 CRITICAL)

Because of the multiple CVE assignments that are closely related in scope, and due to the potential of these vulnerabilities being chained together for further exploitation, it is imperative that all necessary steps - such as, but not limited to - applying patches and following vendor mitigation is done immediately.

How Widespread is this Attack?

Global. Malicious scans by attackers are currently underway looking for vulnerable unpatched appliances, regardless of location. Multiple proof of concepts are starting to emerge as well.

What is the Status of Coverage?

Customers running current (IPS) definitions are protected by:

CVE-2021-22986 - "F5.iControl.REST.Interface.Remote.Command.Execution"

CVE-2021-22991 - "F5.BIG.IP.TMM.URI.Normalization.Buffer.Overflow"

CVE-2021-22992 - "F5.BIG.IP.ASM.HTTP.Response.Header.Buffer.Overflow"

Coverage for CVE-2021-22987 was deemed not feasible at this time due to lack of detail. Regarding mitigation, for this specific vulnerability, please visit the "K04532512: Frequently asked questions for CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22989, and CVE-2021-22990" link in the APPENDIX section for further details.

FortiGuard Labs is continuously monitoring this vulnerability and we will update this Threat Signal once more information becomes available.

Is This in Any Way Related to CVE-2020-5902 From Last Year?

Although CVE-2021-22986 is similar in scope to CVE-220-5902 (RCE and 9.8 CVSS score), these are completely separate vulnerabilities.

Are There Any Reports of Nation State Activity Actively Exploiting CVE-2021-22986?

Not that we are aware of at this time.

Any Other Suggested Mitigation?

According to F5, it is recommended to apply all available patches from the March 2021 update immediately. If patching is not possible at this time, F5 recommends the following temporary mitigation:

Block iControl REST access through the self IP address

Block iControl REST access through the management interface

Further details about mitigation can be found in the following advisory located in the APPENDIX section:

K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

The potential for damage to daily operations, reputation, and unwanted release of data, the disruption of business operations, etc. is apparent, and because of this it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available, and updated on a regular basis to protect against attackers establishing a foothold within a network.


Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.