Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
f5 big-ip access policy manager |
||
f5 big-ip advanced firewall manager |
||
f5 big-ip advanced web application firewall |
||
f5 big-ip carrier-grade nat |
||
f5 big-ip ddos hybrid defender |
||
f5 big-ip ssl orchestrator |
||
f5 big-ip domain name system |
||
f5 big-ip local traffic manager |
||
f5 big-ip policy enforcement manager |
||
f5 big-ip automation toolchain |
||
f5 big-ip container ingress services |
||
f5 big-ip application security manager |
||
f5 big-ip analytics |
||
f5 big-ip application acceleration manager |
||
f5 big-ip application visibility and reporting |
||
f5 big-ip fraud protection services |
||
f5 big-ip global traffic manager |
||
f5 big-ip link controller |
||
f5 big-ip webaccelerator |
||
f5 big-ip websafe |
New BIG-IP Next Central Manager bugs allow device takeover By Sergiu Gatlan May 8, 2024 03:52 PM 0 F5 has fixed two high-severity BIG-IP Next Central Manager vulnerabilities, which can be exploited to gain admin control and create hidden rogue accounts on any managed assets. Next Central Manager allows administrators to control on-premises or cloud BIG-IP Next instances and services via a unified management user interface. The flaws are an SQL injection vulnerability (CVE-2024-26026) and an ODat...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Full extent of attacks unknown but telecoms thought to be especially exposed
Vulnerabilities in F5's BIG-IP suite are already being exploited after proof of concept (PoC) code began circulating online. The cybersecurity biz confirmed in an update to its advisory for CVE-2023-46747 that it has evidence of active exploitation in the wild, less than five days after the initial limited-detail research was published by Praetorian. This critical Apache JServ Protocol (AJP) smuggling vulnerability was what attracted much of the attention to F5's BIG-IP configuration utility las...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Crew may well be working under contract for Beijing
Chinese spies exploited a couple of critical-severity bugs in F5 and ConnectWise equipment earlier this year to sell access to compromised US defense organizations, UK government agencies, and hundreds of other entities, according to Mandiant. The Google-owned threat hunters said they assess, "with moderate confidence," that a crew they track as UNC5174 was behind the exploitation of CVE-2023-46747, a 9.8-out-of-10-CVSS-rated remote code execution bug in the F5 BIG-IP Traffic Management User Int...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Fixes came earlier than scheduled as vulnerability became known to outsiders
F5 has issued a fix for a remote code execution (RCE) bug in its BIG-IP suite carrying a near-maximum severity score. Researchers at Praetorian first discovered the authentication bypass flaw in BIG-IP's configuration utility and published their findings this week of what is the third major RCE bug to impact BIG-IP since 2020. Tracked as CVE-2023-46747, the vulnerability was assigned an initial severity score of 9.8 out of a possible 10 on the CVSS scale and if exploited could lead to total syst...